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Abstract. A system of linear dependent types for the A-calculus with full higher-order 
recursion, called d^PCF, is introduced and proved sound and relatively complete. Com- 
pleteness holds in a strong sense: d^PCF is not only able to precisely capture the functional 
behavior of PCF programs (i.e. how the output relates to the input) but also some of their 
intensional properties, namely the complexity of evaluating them with Krivine's Machine. 
d^PCF is designed around dependent types and linear logic and is parametrized on the 
underlying language of index terms, which can be tuned so as to sacrifice completeness for 
tractability. 



Type systems are powerful tools in the design of programming languages. While they have 
been employed traditionally to guarantee weak properties of programs (e.g. "well-typed 
programs cannot go wrong"), it is becoming more and more evident that they can be useful 
when stronger properties are needed, such as security [331 132], termination [6], monadic 
temporal properties [26] or resource bounds [251 H] ■ 

One key advantage of type systems seen as formal methods is their simplicity and 
their close relationship with programs — checking whether a program has a type or even 
inferring the (most general) type of a program is often decidable. The price to pay is the 
incompleteness of most type systems: there are programs satisfying the property at hand 
which cannot be given a type. This is in contrast with other formal methods, like program 
logics [2] where completeness is always a desirable feature, although it only holds relatively 
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Degree of Completeness 



Figure 1: Type Systems and Program Logics 

to an oracle. Graphically, the situation is similar to the one in Figured} type systems are 
bound to be in the lower left corner of the diagram, where both the degree of completeness 
and the complexity of the property under consideration is low; program logics, on the other 
hand, are confined to the upper-right corner, where checking for derivability is almost always 
undecidable. 

One specific research field in which the just-described scenario manifests itself is implicit 
computational complexity, in which one aims at defining characterizations of complexity 
classes by programming languages and logical systems. Many type systems have been in- 
troduced capturing, for instance, the polynomial time computable functions [23l[5ll3]. All 
of them, under mild assumptions, can be employed as tools to certify programs as asymp- 
totically time efficient. However, a tiny slice of the polytime programs are generally typable, 
since the underlying complexity class FP is only characterized in a purely extensional sense 
— for every function in FP there is at least one typable program computing it. 

The main contribution of this paper is a type system for the A-calculus with full recur- 
sion, called d^PCF, which is sound and complete. Types of d^PCF are obtained, in the spirit 
of DML [36j_35j, by decorating types of ordinary PCF |3H I21j with index terms. These are 
first-order terms freely generated from variables, function symbols and a few more term 
constructs. They are indicated with metavariables like I, J, K. Type decoration reflects the 
standard decomposition of types into linear types (as suggested by linear logic [13}), and is 
inspired by recent works on the expressivity of bounded logics |13j . 

Index terms and linear types permit to describe program properties with a fine granu- 
larity. More precisely, d^PCF enjoys the following two properties: 

• Soundness: if t is a program and h k t ■ Nat[I, J], then t evaluates to a natural number 
which lies between I and J and this evaluation takes at most (K -I- 1) • [tj steps; 

• Completeness: if t is typable in PCF and evaluates to a natural number n in m steps, 
then hi t : Nat[n, n], where I ^ m. 

Completeness of d^PCF holds not only for programs (i.e. terms of ground types) but also 
for functions on the natural numbers (see Section [5.31 for further details). Moreover, typing 
judgments tell us something about the functional behavior of programs but also about their 
non-functional one, namely the number of steps needed to evaluate the term in Krivine's 
Abstract Machine. 

As the title of this paper suggests, completeness of d£PCF holds in a relative sense. 
Indeed, the behavior of programs can be precisely captured only in presence of a complete 
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oracle for the truth of certain assumptions in typing rules. This is exactly what happens in 
program logics such as Floyd-Hoare's logic, where all true partial correctness assertions can 
be derived provided one is allowed to use all true sentences of first order arithmetic as axioms 
[lOj . In dfPCF, those assumptions take the form of (in) equalities between index terms, to 
be verified when function symbols are interpreted as partial functions on natural numbers 
according to an equational program £. Actually, the whole of d^PCF is parametrized on 
such an f , but while soundness holds independently of the specific £, completeness, as is to 
be expected, holds only if 8 is sufficiently powerful to encode all total computable functions 
(i.e. if £ is universal). In other words, d£PCF can be claimed to be not a type system, but 
a family of type systems obtained by taking a specific £ as the underlying "logic" of index 
terms. The simpler £, the easier type checking and type inference are; the more complex 
£, the larger the class of captured programs. 

The design of dfPCF has been very much influenced by linear logic [18j, and in particular 
by systems of indexed and bounded linear logic [19^ I13j . which have been recently shown 
to subsume other ICC systems as for the class of programs they capture [13]. One of 
the many ways to "read" d^PCF is as a variation on the theme of BLL [19] obtained by 
generalizing polynomials to arbitrary functions. The idea of going beyond a restricted, 
fixed class of bounds comes from Xi's work on DML j36ll35|. Cost recurrences for first order 
DML programs have been studied [20] . No similar completeness results for dependent types 
are known, however. 

2. Types and Program Properties: An Informal Account 

Consider the following program: 

dbl = fix f.Xx. ifz x then else s(s(/(p(x)))). 

In a monomorphic, traditionally designed type system like PCF |31l I21j . the term dbl 
receives type Nat Nat. As a consequence, dbl computes a function on natural numbers 
without "going wrong": it takes in input a natural number, and produces in output another 
natural number (if any). The type Nat — > Nat, however, does not give any information about 
which specific function on the natural numbers dbl computes. Indeed, in PCF (and in most 
real- world programming languages) any program computing a function on natural numbers, 
being it for instance the identity function or (a unary version of) the Ackermann function, 
can be typed by Nat Nat. 

Some modern type systems allow one to construct and use types like r = Nat [a] 
Nat [2 X a], which tell not only what set or domain (the interpretation of) the term belongs 
to, but also which specific element of the domain the term actually denotes. The type r, 
for example, could be attributed only to those programs computing the function n i-^ 2 x n, 
including dbl. Types of this form can be constructed in dependent and sized type theories 
[HUll]. The type system d£PCF introduced in this paper offers this possibility, too. But, as 
a first contribution, it further allows to specify imprecise types, like Nat [5, 8], which stands 
for the type of those natural numbers between 5 and 8 (included). 

A property of programs which is completely ignored by ordinary type systems is ter- 
mination, at least if full recursion is in the underlying language. Typing a term t with 
Nat Nat does not guarantee that t, when applied to a natural number, terminates. In 
PCF this is even worse: t could possibly diverge itselfl Consider, as another example, a 
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slight modification of dbl, namely 

omega = fix f.Xx. ifz x then else s(s(/(x))). 

It behaves as dbl when fed with 0, but it diverges when it receives a positive natm'al number 
as an argument. But look: omega is not so different from dbl. Indeed, the second can be 
obtained from the first by feeding not x but p(x) to /. And any type systems in which 
dbl and omega are somehow recognized as being fundamentally different must be able to 
detect the presence of p in dbl and deduct termination from it. Indeed, sized types [6j and 
dependent types [34] are able to do so. 

Going further, we could ask the type system to be able not only to guarantee termi- 
nation, but also to somehow evaluate the time or space consumption of programs. For 
example, we could be interested in knowing that dbl takes a polynomial number of steps to 
be evaluated on any natural number. This cannot be achieved neither using classical type 
systems nor using systems of sized types, at least when traditionally formulated. However, 
some type systems able to control the complexity of programs exist. Good examples are 
type systems for amortized analysis [25^ [22] or those using ideas from linear logic [5l 3]. 
In those type systems, typing judgements carry, besides the usual type information, some 
additional information about the resource consumption of the underlying program. As an 
example, dbl could be given a type as follows 

hi dbl : Nat Nat 

where I is some cost information for dbl. This way, building a type derivation and inferring 
resource consumption can be done at the same time. 

The type system d£PCF we propose in this paper makes some further steps in this 
direction. First of all, it combines some of the ideas presented above with the ones of 
bounded linear logic. BLL allows one to explicitly count the number of times functions use 
their arguments (in rough notation, l^a —o r says that the argument of type a is used m 
times). This permits to extract natural cost functions from type derivations. The cost of 
evaluating a term will be measured by counting how many times function arguments need to 
be copied during evaluation. Making this information explicit in types permits to compute 
the cost step by step during the type derivation process. By the way, previous works by 
the first author [12] show that this way of attributing a cost to (proofs seen as) programs is 
sound and precise as a way to measure their time complexity. Intuitively, typing judgements 
in d^PCF can be thought as: 

hj t : !m Nat [a] Nat [I]. 

where I and J can be derived while building a type derivation, exploiting the information 
carried by the modalities. In fact, the quantitative information in allows to statically 
determine the number of times any subterm will be copied during evaluation. But this is 
not sufficient: analogously to what happens in BLL, d£PCF makes types more parametric. A 
rough type as l^cr ^ r is replaced by the more parametric type [a < n] - a —o t, which tells 
us that the argument will be used n times, and each instance has type a where, however 
the variable a is instantiated with a value less than n. This allows to type each copy of the 
argument differently but uniformly, since all instances of a have the same PCF skeleton. 
This form of uniform linear dependence is actually crucial in obtaining the result which 
makes d^PCF different from similar type systems, namely completeness. 
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Finally, as already stressed in the Introduction, d^PCF is also parametric in the class of 
functions (in the form of an equational program £) that can be used to reason about types 
and costs. This permits to tune the type system, as described in Section [6] below. 

Anticipating on the next section, we can say that dbl can be typed as follows in d^PCF: 

hf dbl : [6 < a + 1] • Nat[a] ^ Nat[2 x a]. 

This tells us that the argument will be used a + 1 times by dbl, and that the cost of 
evaluation will be itself proportional to a. 

3. d^PCF 

In this section, the language of programs and the type system d£PCF for it will be introduced 
formally. Some of their basic properties will be described. The type system d£PCF is based 
on the notion of an index term whose semantics, in turn, is defined by an equational 
program. As a consequence, all these notions must be properly introduced and are the 
subject of Section [3TT] below. 

3.1. Index Terms and Equational Programs. Syntactically, index terms are built ei- 
ther from function symbols from a given signature or by applying any of two special term 
constructs. 

Formally, a signature S is a pair (5, a) where 5 is a finite set of function symbols and 
a : 5 ^ N assigns an arity to every function symbol. Index terms on a given signature 
S = (5, a) are generated by the following grammar: 

i,J 

I,J,K::=a | f (Ii, . . . , I„(f )) | I @K, 

a<I a 

where i e S and a is a variable drawn from a set V of index variables. We assume the 
symbols 0, 1 (with arity 0) and +, — (with arity 2) are always part of S. An index term in 
the form Xia<i J is a bounded sum., while one in the form K is a forest cardinality. For 
every natural number n, the index term n is just 

n times 

Index terms are meant to denote natural numbers, possibly depending on the (unknown) 
values of variables. Variables can be instantiated with other index terms, e.g. I{J/a}. 
So, index terms can also act as first order functions. What is the meaning of the function 
symbols from S? It is the one induced by an equational program £. Formally, an equational 
program £ over a signature S and a set of variables V is a set of equations in the form t = s 
where both t and s are terms in the free algebra ©(S, V) over S and V. We are interested 
in equational programs guaranteeing that, whenever symbols in S are interpreted as partial 
functions over N and 0, 1, + and — are interpreted in the usual way, the semantics of 
any function symbol f can be uniquely determined from £. This can be guaranteed by, 
for example, taking £ as an Herbrand-Godel scheme |30j or as an orthogonal constructor 
term rewriting system p] . One may wonder why the definition of index terms is parametric 
on S and £. As we will see in Section [6l being parametric this way allows us to tune our 
concrete type system from a highly undecidable but truly powerful machinery down to a 
tractable but less expressive formal system. An example of an equational program over 
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the signature S consisting of three function symbols gt, add and mult of arity two is the 
following sequence of equations: 

gt(0,6) = 0; 
gt(a + l,0) = 1; 
gt(a + 1,6+ 1) = gt(a,6); 

add(0, b) = b; 
add(a + 1,6) = add(a, 6) + 1; 

mult(0,6) = 0; 

mult (a + 1,6) = add(6, mult(a, 6)). 

What about the meaning of bounded sums and forest cardinalities? The first is very 
intuitive: the value of Xia<i ^ simply the sum of all possible values of J with a taking the 
values from up to I, excluded. Forest cardinalities, on the other hand, require some more 
effort to be described. Informally, K is an index term denoting the number of nodes in 
a forest composed of J trees described using K. All the nodes in the forest are (uniquely) 
identified by natural numbers. These are obtained by consecutively visiting each tree in 
pre-order, starting from I. The term K has the role of describing the number of children 
of each forest node n by properly instantiating the variable a, e.g the number of children 
of the root (of the leftmost tree in the forest) is K{0/a}. More formally, the meaning of a 
forest cardinality is defined by the following two equations: 

1,0 

(g)K = 0; (3.1) 



I,J+1 






@ K = 


{•?•') 




a 







(S) K 



(3.2) 



Equation (jS.ip says that a forest of trees contains no nodes. Equation (j3.2p tells us that 
a forest of J + 1 trees contains: 

• the nodes in the first J trees; 

• and the nodes in the last tree, which are just one plus the nodes in the immediate 
subtrees of the root, considered themselves as a forest. 

To better understand forest cardinalities, consider the following forest comprising two trees: 

8 



11 



10 



12 



and consider an index term K with a free index variable a such that K{n/a} = 3 for n = 1; 
K{n/a} = 2 for n e {2,8}; K{n/a} = 1 when n e {0,6,9,11}; and K{n/a} = when 
n e {3, 4, 7, 10, 12}. That is, K describes the number of children of each node in the forest. 

13 since it takes into account the entire forest; K = 8 since it takes 



Then (S)"'^ K 
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into account only the leftmost tree; ©^''^ K = 5 since it takes into account only the second 
tree of the forest; finally, @^'^ K = 6 since it takes into account only the three trees (as a 
forest) in the dashed rectangle. 

One may wonder what is the role of forest cardinalities in the type system. Actually, 
they play a crucial role in the treatment of recursive calls, where the unfolding of recursion 
produces a tree-like structure whose size is just the number of times the (recursively de- 
fined) function will be used globally. Note that the value of a forest cardinality could also 
be undefined. For instance, this happens when infinite trees, corresponding to diverging 
recursive computations, are considered. 

The expression pj^ denotes the meaning of I, defined by induction along the lines of 
the previous discussion, where p : V ^ N is an assignment and £ is an equational program 
giving meaning to the function symbols in I. Since £ does not necessarily interpret such 
symbols as total functions, and moreover, the value of a forest cardinality can be undefined, 
PJp can be undefined itself. A constraint is an inequality in the form I ^ J. A constraint 
is true in an assignment p if pj^ and |J]p are both defined and the first is smaller or equal 
to the latter. Now, for a subset ^ of V, and for a set $ of constraints involving variables in 
(f), the expression 

(/);$h^Is;J (3.3) 

denotes the fact that the truth of I ^ J semantically follows from the truth of the constraints 
in The expression ^; $ I ^ indicates that (the semantics of) I is defined for the 
relevant values of the variables in 0; this is usually written as i^; $ |=^ I ||, . 

Similarly, one can define the meaning of expressions like (f); <I> I = J or (/>; $ I ~ J, 
the latter standing for the equality of I and J in the sense of Kleene, i.e. (p; $ I I- if 
and only if </>; $ |=^ J , and if ^; $ I -l^ t^^^n 0; $ I = J. When both and $ are 
empty, such expressions can be written in a much more concise form, e.g. I c^; J stands for 
0;0 h^I^ J. 

The following two lemmas about forest cardinalities are useful, and will be crucial when 
proving the Substitution Lemma. 

Lemma 3.1. For every index terms I, J, K,H, we have: 

I+J,K J,K 

(g) H~@H{a + I/a}. 

a a 

Proof. The proof is by coinduction on the definition of (S)^"^^'^ H by distinguishing the cases 
for the different values of K. For K c^; we have both: 

I+J,0 J,0 

(S)H^O; (S) H{a + I/a} ^ 0. 

a a 

For K ~ L -h 1 we have: 

I+J,L+1 I+J,L I+J+l+@^+'''^H,H{I+J+@^+J'LH/a} 

(S)H~(S)H + 1+ (S) H, 

a a a 

and analogously 

J,L+1 J,L J+1+@J'L H{a+I/a},H{I+J+@^'^ R{a+l/a}/a} 

@ H{a + I/a} ^ (g) H{a + I/a} + 1 + @ H{a + I/a}. 

a a a 

This concludes the proof. □ 
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Lemma 3.2. For every index term of the shape I we have: 

@l^Y^@l{a+l + @l/a}. 

a ;,<j a a 

Proof. The proof is by coinduction on the definition of I by distinguishing the cases 
for the different values of J. For J ^ 0, we have both: 

1,0 0,1 1,6 

(S)I^O; 2(S)I{a + l + @I/a} ~0. 

a 6<0 ^ " 

For J ^ L + 1 we have 

1,L+1 K+2,I{K+l/a} 
@ I^K+1+ @ I 

a a 

and 

0,1 1,6 0,1 1,L 

(S)I{a + l + (S)I/a}^H + @I{a + l + (g)I/a}, 

6<L+1 a a a a 

where K is ©^'^I and H is Yib<L©a'^H^ + 1 + @a'^I/^}- Now, by definition and by 
Lemma |3. 11 we have 

0,1 1,L l,I{K+l/a} K+2,I{K+l/a} 

@l{a + 1 + @l/a} - 1 + @ l{a+l+K/a} -1+ @ 1. 

a a a a 

This concludes the proof. □ 

Before embarking in the description of the type system, a further remark on the role 
of index terms could be useful. Index terms are not meant to be part of programs but of 
types. As a consequence, computation will not be carried out on index terms but on proper 
terms, which are the subject of Section [3^ below. 

3.2. The Type System. Terms are generated by the following grammar: 

t ■.:=x I n I s{t) I p(t) I Xx.t | tu 

I ifz t then u else v | fix x.t 

where n ranges over natural numbers and x ranges over a set of variables. As usual, terms 
which are equal modulo a-conversion are considered equal. This, in turn, allows to define 
the notion of substitution in the standard way. The set of head subterms of any term t can 
be defined easily by induction on the structure of t, e.g. the head subterms of t = uv are t 
itself and the head subterms of u (but not those of v). 

A notion of size \t\ for a term t will be useful in the sequel. This can be defined as 
follows: 

\x\ = 1; \Xx.t\ = \t\ + 1; 

|ii| = 1; \tu\ = \t\ + \u\ + 1; 

|s(t)| = |t| + 2; I ifz t then u else v\ = \t\ + \u\ + \v\ + 1; 

|p(t)| = |t| + 2; |fix x.t\ = \t\ + 1. 
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T,x : a \- t : T 


T \-t: a T \- u: a 


T,x : a \- X : 


a r h Xx.t : a ^ T 


Thtu-.T 




r h i : Nat 


r h t : Nat 


r h 


n : Nat T \- s{t) : Nat 


r h p(t) : Nat 


r h t 


Nat T \- u : a T \- v : a 


r,x : a \- t : a 


r h 


if z t then u else v : a 


r h fix x.t : a 



Figure 2: The PCF Type System. 





[Xx.t)u ^ t{u/x] s(n)^n + 
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n + 1) ^ n 


p(o)- 





if z then u else v ^ u 
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- 1 then u else 


V —>■ V 
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V 


fix x.t t{f ix x.t/x] s{t) 


s{u) 


p(t) ^ p(u) 


tu 


vu 


t - 


> w 








if z t then u else v — 


«■ if z w then u else v 







Figure 3: Weak-head Reduction 



Notice that for technical reasons size is defined in a sHghtly nonstandard way: every integer 
constant has size 1. 

Lemma 3.3. If t is a term and u is a subterm oft, then \u\ ^ \t\. 

Terms can be typed by a well-known type system called PCF. Types are those generated 
by the basic type Nat and the binary type constructor Typing rules are in Figure [2l A 
notion of weak-head reduction can be easily defined: see Figure [3l A term t is said to 
be a program if it can be given the PCF type Nat in the empty context. 

Almost all the definitions about d^PCF in this and the next sections should be un- 
derstood as parametric on an equational program £ over a signature S. For the sake of 
simplicity, however, we will often avoid to explicitly mention £ and leave it implicit. 

d£PCF can be seen as a refinement of PCF obtained by a linear decoration of its type 
derivations. Basic and modal types are defined as follows: 

a,T ::= Nat [I, J] | ^ — o cr; basic types 

A,B ::= [a < I] • a; modal types 

where I, J range over index terms and a ranges over index variables. Nat [I] is syntactic 
sugar for Nat [I, I]. Modal types need some comments. As a first approximation, they can 
be thought of as quantifiers over type variables. So, a type like A = [a <l] ■ a acts as a 
binder for the index variable a in the basic type a. Moreover, the condition a < I says 
that A consists of all the instances of the basic type a where the variable a is successively 
instantiated with the values from to (the value of) I — 1, i.e. a{0/a}, . . . ,ct{I — 1/a} . 
For those readers who are familiar with linear logic, and in particular with BLL, the modal 
type [a < I] • C7 is a generalization of the BLL formula !a<p'7 to arbitrary index terms. As 
such it can be thought of as representing the type a{0/a} (x) • • • (g) a{l — 1/a}. In analogy 
to what happens in the standard linear logic decomposition of the intuitionistic arrow, 
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(Nat.i) . ^ . £ , -t) 



Nat[I, J] ^ 

0, a;$,a < I o- -U- 

(H-.t) 



; $ [a < I] • a 



Figure 4: Well-defined Types 



^ (NatJ) -y J) 



Nat[I, J] E Nat[K,H] (/);^>h^A^(TES^r 
a; a < I cr E r 

^ (H • -0 

(/>; $ [a < I] • a E [a < J] • T 

Figure 5: The Subtyping Relation 



i.e. \A —o B = A ^ B, it is sufficient to restrict to modal types appearing in negative 
position. Finally, for those readers with some knowledge of DML, modal types are in a way 
similar to DML's subset sort constructions [35]. 

We always assume that index terms appearing inside types are defined for all the rel- 
evant values of the variables in cf). This is captured by the judgement (f>;^ a ^, whose 
rules are in Figure [H 

In the typing rules, modal types need to be manipulated in an algebraic way. For this 
reason, two operations on modal types need to be introduced. The first one is a binary 
operation w on modal types. Suppose that A = [a <l] ■ /x{a/c} and that B = [b < J] ■ 
fi{l + b/c}. In other words, A consists of the first I instances of fi, i.e. /i{0/c}, . . . , /i{I — 1/c} 
while B consists of the next J instances of n, i.e. /x{I -I- 0/c}, . . . , + J 1/c}. Their sum 
A kii B is naturally defined as a modal type consisting of the first I + J instances of ^, i.e. 
[c < I + J] • /i. An operation of bounded sum on modal types can be defined by generalizing 
the idea above. Suppose that ^ = [6 < J] ■ cr{'}^^_^^J{d/a} + b/c}. Then its bounded sum 
2a<i ^ is [c < J] • a. 

To every type a corresponds a type (|cr|) of ordinary PCF, namely a type built from the 
basic type Nat and the arrow operator 

(]Nat[I, J][) = Nat; 

Central to d£PCF is the notion of subtyping. An inequality relation E between (basic 
and modal) types can be defined by way of the formal system in Figure O This relation 
corresponds to lifting index inequalities at the type level. The equivalence (f);^\-a = T 
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holds when both (j);^\-a^T and 0; <I> |— t E cr can be derived from the rules in Figure O 
0; $ h (7 Ij. is syntactic sugar for 0; <I> h o" E a. 

It is now time to introduce the main object of this paper, namely the type system 
d^PCF. Typing judgements of d^PCF are expressions in the form 

cP;^;Thft:a, (3.4) 

where F is a typing context, that is, a set of term variable assignments of the shape x : A 
where each variable x occurs at most once. The expression (j3.4p can be informally read as 
follows: for every values of the index variables in (p satisfying <I>, t can be given type a and 
cost I once its free term variables have types as in F. In proving this, equations from £ can 
play a role. 

Typing rules are in Figure [6l where binary and bounded sums are used in their natural 
generalization to contexts. A type derivation is nothing more than a tree built according to 
typing rules. A precise type derivation is a type derivation such that all premises in the form 
cr c r (respectively, in the form I ^ J) are required to be in the form a = t (respectively, 
I = J). 

First of all, observe that the typing rules are syntax-directed: given a term t, all type 
derivations for t end with the same typing rule, namely the one corresponding to the last 
syntax rule used in building t. In particular, no explicit subtyping rule exists, but subtyping 
is applied to the context in every rule. A syntax-directed type system offers a key advantage: 
it allows one to prove the statements about type derivations by induction on the structure 
of terms. This greatly simplifies the proof of crucial properties like subject reduction. 

Typing rules have premises of three different kinds: 

• Of course, typing a term requires typing its immediate subterms, so typing judgements 
can be rule premises. 

• As just mentioned, typing rules allow to subtype the context F, so subtyping judgements 
can be themselves rule premises. 

• The application of typing rules (and also of subtyping rules, see Figure [5]) sometimes 
depends on the truth of some inequalities between index terms in the model induced by 
£. 

As a consequence, typing rules can only be applied if some relations between index terms 
are consequences of the constraints in $. These assumptions have a semantic nature, but 
could of course be verified by any sound formal system. Completeness (see Section [5]), 
however, only holds if all true inequalities can be used as assumptions. As a consequence, 
type inference but also type (derivation) checking are bound to be problematic from a 
computational point of view. See Section [6] for a more thorough discussion on this issue. 

As a last remark, note that each rule can be seen as a decoration of a rule of ordinary 
PCF. More: for every d£PCF type derivation vr of F h f t : a there is a structurally 
identical derivation in PCF for the same term, i.e. a derivation (\it\) > (|F[) h t : (\a\). 

3.3. An Example. In this section, we will show how d^PCF can give a sensible type to the 
example we talked about in the Introduction, namely 

dbl = fix /.Ax. ifz x then else s(s(/(p(x)))). 

First, let us take a look at a subterm of dbl, namely t = ifz x then else s(s(/(p(x)))). 
In plain PCF, t receives the type Nat in an environment where x has type Nat and / has 
type Nat Nat. Presumably, a d^PCF type for t can be obtained by decorating in an 
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0; $ ^ J $ 1 ^ I 

0;$ a{0/a} E r 
([a < I] -a) ^ 0; $ T ^ 0; T, a; : [a < I] • a hf t : r 



, ^ „ ^ , 7^ -r^ L 



0; r, X : [a < I] ■ cr hj X : r ' <f>,^,^ hj Xx.t : [a <!]■ a —o t 

;>;^';r hj t : [a < I] • o- ^ r 
0, a; a < I; A u : a 

0;$h^Ecry^2a<i^ h^Nat[I + l,J + l] cNat[K,H] 

(.;$h^H^ J + I + 2„<iK ^ </.;$;rhf t:Nat[I,J] 



f);$;S|-^to:r 0; T |-£ s(t) : Nat[K, H] 

0; $ 1=^ K ^ 

0; $ 1=^ I ^ n 

0;$ n ^ J 0;$ Nat[I^ 1, J ^ 1] c Nat[K,H] 

</.;$h^r4 ^6;$;rh£t :Nat[I,J] 



AT 



r hfi n : Nat[I, J] " ^; T h£ p(t) : Nat[K, H] 

/>;$;r h| t : Nat [I, J] 
^ 0; A hjj u : a 
J ^ 1; A hfi f : o- 
(/); $ S E r w A 
0;$ L ^ K + H 



(?!>; E |-l if z i then u else t; : cr 

0, 6; $, < L; r, X : [a < I] • a hi; * : 1" 
0; $ r{0/h} E /x 
0, a, 6; a < 1, 6 < L h'^ r{@J+^'" I + 6 + 1/6} c a 

(g)°'il^L,M 
S fix xi : 



Figure 6: Typing Rules 

appropriate way the type above. In other words, we are looking for a type derivation with 
conclusion: 

,T : [a < I] • Nat[J], / : [6 < K] • ([c < H] • Nat[L] ^ Nat[M]) t : Nat[P]. 

But how should we proceed? What wc would like, at the end of the day, is being able to 
describe how the value of t depends on the value of x, so we could look for a type derivation 
in this form: 

d;0-x: [I] • Nat[c(|, / : [6 < K] • ([H] • Nat[d ^ 1] ^ Nat[2(d ^ 1)]) Kn * : Nat[2c(|, 
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where [a < I] (respectively, [c < H]) has been abbreviated into [I] (respectively, [H]) because 
the bound variable a (respectively, c) does not appear free in the underlying type. But how 
to give values to I, K, and H? One could be tempted to define I simply as 2, since there 
are two occurrences of x in t. However, in view of the role played by x and / in dbl, I 
should be rather defined taking into account the number of times x will be copied along the 
computation of dbl on any input. A good guess could be, for example, d+ 1. Similarly, H 
could be d. But how about K? How many times / is used? If d = 0, then / is not called, 
while if d > 0, the function is called once. In other words, a guess for H could be gt{d, 0). 
Here we use the infix notation > for the operator gt just to improve readability. Let us 
now try to build a derivation for 

d;0;x : [d + 1]- Nat[d],/ : [d > 0] ■ {[d] ■ Nat[(i- 1] Nat[2((i - 1)]) ho t : Nat[2d]. 

Actually, it has the following shape: 

n > d;0;x -.[l]- Nat[d] ho ^ ■ Nat[d] 
p >d;d ^ 0;x : [d] ■ Nat[d], / : [d > 0] ■ {[d] ■ Nat[d - 1] ^ Nat[2(d - 1)]) ho : Nat[2d] 
V > d;d> 0;x : [d] •Nat[d],/ : [d > 0] ■ ([d] ■ Nat[d^ 1] -o Nat[2(d^ 1)]) ho s(s(/(p(a;)))) : Nat[2d] 

d;0;x: [d+1]- Nat[d], / : [d > 0] ■ ([d] ■ Nat[d ^ 1] ^ Nat[2(d ^ 1)]) ho t ■ Nat[2d] 

where assignments to types in the form [0] • a have been omitted from contexts. Now, vr 
and p can be easily built, while requires a little effort: it is the type derivation 

> d; d > 0; / : [d > 0] ■ ([d] ■ Nat[d ^ 1] ^ Nat[2(d ^ 1)]) ho f ■ [d] ■ Nat[d ^ 1] ^ Nat[2(d - 1)] 
\> d;d>0;x ■.[!]■ Nat[d] ho pix) : Nat[d - 1] 

d; d > 0; a; : [d] ■ Nat[d], / : [d > 0] • ([d] ■ Nat[d - 1] ^ Nat[2(d - 1)]) ho .f{p(oc)) : Nat[2(d ^ 1)] 

d;d > 0;a; : [d] ■ Nat[d],/ : [d > 0] ■ ([d] ■ Nat[d- 1] Nat[2(d- 1)]) ho s(/(p(2;))) : Nat[2d^ 1] 

d;d > 0;a; : [d] ■ Nat[d],/ ; [d > 0] ■ ([d] ■ Nat[d- 1] -o Nat[2(d- 1)]) ho s(s(/(p(a;)))) : Nat[2d] 

where fi and are themselves easily definable. Summing up, t can indeed be given the type 
we wanted it to have. As a consequence, we can say that 

d;0;f ■.[d>0]- {[d] ■ Nat[(i ^ 1] ^ Nat[2((i ^ 1)]) ho Ax.t : [d + 1] ■ Nat[(i] ^ Nat[2d]. 

However, we have only solved half of the problem, since the last step (namely typing the 
fixpoint) is definitely the most complicated. In particular, the rule R requires an index 
variable b which somehow ranges over all recursive calls. A different but related type can 
be given to Xx.t, namely 

a,b;b < a + 1; f : [a > b] ■ {[a - b] ■ Nat[a - 6 - 1] ^ Nat[2(a - 6 - 1)]) 
ho >^x.t :[a-b + l]- Nat[a - b] ^ Nat[2(a - b)]. 

By the way, this does not require rebuilding the entire type derivation (see the properties 
in the forthcoming Section [3. 4p . Let us now check whether the judgement above can be the 
premise of the rule R. Following the notation in the typing rule R we can stipulate that: 



I 



a > b; 



J 



a: 



K 



0; 

a + 1; 



L 
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and 



a=[a-b]- Nat[a - 6 - 1] ^ Nat[2(a - 6 - 1)]; 
T = [a-b + l]- Nat[a - b] ^ Nat[2(a - 5)]; 
fj, = r{0/6} = [a + l]- Nat [a] ^ Nat [2a]; 
r = S = 0. 



We can then conclude that, since a < {a > b) imphes a = 0: 

0,1 



a;0|=@I = a + l = J; 



6 

6+1, a 



a,b;a < {a> b) \= (S) 1 = 0; 



6 

6+1, a 



a; h t{ (g) I + 6 + 1/6} = t{6 + 1/6} = a; 



b 



and, ultimately, that a; 0; hf dbl : jU. 

3.4. Properties. This section is mainly concerned with Subject Reduction. Subject Re- 
duction will only be proved for closed terms, since the language is endowed with a weak 
notion of reduction and, as a consequence, reduction cannot happen in the scope of lambda 
abstractions. The system d£PCF enjoys some nice properties that are both necessary in- 
termediate steps towards proving subject reduction and essential ingredients for proving 
soundness and relative completeness. These properties permit to manipulate judgements 
being sure that derivability is preserved. 

First of all, the constraints $ in a typing judgement can be made stronger without 
altering the rest: 



Lemma 3.4 (Constraint Strenghtening). Let (p;^;T hi t : a and </!>; 5' |=^ $. Then, 
(/>;*;r hi t : a. 



Lemma 3.5 (Weight Monotonicity) . Let ^;$;r hi t : a and ^; $ |=^ I ^ J. Then, 



Proof. It follows easily by induction on the derivation proving </;;$; F hi i : cr. In particular, 
observe that all rules altering the weight are designed in such a way as to allow the latter 



Whenever a parameter in a subtyping judgment needs to be specialized, we can simply 

substitute it with an index term. 

Lemma 3.6 (Index Term Substitution Respects Subtyping). Let (l),a;^ h ^ E 7 and I be 
an index term. Then, (f); ${I/a}, ^' h 0{l/a} E j{l/a} whenever ^; ^ |= ^ I)-- 



Proof. It follows easily by definition of 0; ^' \= $. 

Note that a sort of strengthening also holds for weights. 



□ 



to be lifted up. 



□ 



Proof. Easy. 



□ 
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Subtyping can be freely applied both to the context F (contravariantly) and to the type 
a (covariantly) , leavmg the rest of the judgement unchanged: 

Lemma 3.7 (Subtyping). Suppose <1>; xi : Ai, . . . , x„ : An \-it:a and 0; <I> h E j4j 
for 1 ^ i ^ n and 0; <I> |— cr E r. Then, 0; <I>; xi : Bi, . . . ,Xn '■ h i t : t. 

Proof. By induction on the structure of a derivation vr for 

(p; ^-jXi : Ai, . . . ,Xn ■■ An hit : a. 

Let us examine some interesting cases: 
• If vr is just 

0; $ ^ J 0; $ 1 ^ I 
(f>;^ l^{0/a} E cr 



; <I>;r,x : [a < I] • ^ hj X : (7 



V 



"J 

then, by assumption we have that B = [a <K] ■ j and 0; <I> h [a < K] • 7 E [a < I] • //. 
Moreover, by assumption we have 1?^; $ h ex E r. From i?i>; <I> h [a < K] • 7 E [a < I] • //, 
it follows that a<K|-7E/i and that <I> ^ I ^ K. By Lemma [3T6l $ h 
7{0/a} E /i{0/a}, which by transitivity of E implies (/>; $ (— ^ 7{0/a} E r. Now, if A is 
a context such that (with a slight abuse of notation) (p; <I> h ^ A E F, then 0; <I> h ^ A 1),. 
Summing up, 

7{0/a} 

$ ([a < K] • 7) ^ 0; $ A ^ 



• If TT is 



!>; $; A, X : [a < K] • 7 hj x : r 

(/);$;F hj t : [a < I] • /i ^ cr 
a; <I>, a < I; A ^ : A' 
h^SEF^X^^jA 
0;$h^H^J + I + l],<iK 



but we have i;^; <& |— ^ o" E r and 0; <I> h ^ © E S, then by induction hypothesis we 
can easily conclude that 0; <I>;F hf t : [a < I] • /i — o r and, by transitivity of E, that 
(/>; $ O E F w I]a<l ^ consequence: 

(/);^';F hf t : [a < I] -/u ^ r 
a;$,a < I; A (-K u : /i 
0;<Dh^eEFw2]„<lA 
0;<I>h^H^ J + I + I],<iK 

? A 

e hfi : r 

The other cases are similar. □ 

Weakening holds for term contexts: 

Lemma 3.8 (Context Weakening). Let F hi t : cr. Then, F, A hi t : cr whenever 
0;$ h A 4. 

Proof. Easy, by induction on the derivation proving <1>; F hi t : cr. □ 
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Another useful transformation on type derivations is substitution of an index variable 
for an index term: 

Lemma 3.9 (Index Term Substitution). Let cj), a;^;T \-it: a. Then we have 

0;${J/a},*;r{J/a} hi{j/a} t : cj{J/a} 
for every J such that (j), J 1),. 

Proof. By induction on the structure of a derivation tt for 

(p,a;<^;T \-it:a. 

Let us examine some cases: 

• If vr is just 

(/),a;$h^O^I (/>,a;$h^l^K 

0, a: 

(/.,a;$ ([6<K] -/i) ^ 0,a;$h^r|t 

a; $; r, X : [6 < K] • hf x : (J 

then of course we have that c/); ^ {3 / a} , ^ H^/a} and that ${J/a}, ^' 

1 ^ K{J/a}. By Lemma [Ml one obtains (/);${J/a},* (^{0/6}){J/a} E cr{J/a}. 
Please observe that b can be assumed not to occur free in J, and as a consequence 
{fi{0/b}){J/a} = {n{J/a}){0/b}. Similarly, 0; ${J/a}, ^' (([6 < K] • /i){J/a}) |t and 
(p; ${J/a}, ^' r{J/a} Again, ([6 < K]-^){J/a} is syntactically identical to [b < K{J/a}]- 
/u{J/a}. As a consequence: 

0; ${J/a}, * K ^ I{J/a} «>{J/a}, ^' 1 ^ K{J/a} 

</.;<I'{J/a},M' (^{J/a}){0/6} E c7{J/a} 
^{J/g}, ^ ([fe < K{J/a}] ■ /i{J/a}) ^ 0; ${J/a}, ^ (r{J/a}) 

</.;${J/a},^&;r{J/a},x : [b < K{J/a}] • ^{J/a} hfp/,} x : a{J/a} 

• If TT is 

(f),a;^;T,x : [b < K] ■ fi \-i t : t 
4>, a; F hi Xx.t : [b < K] ■ fi ^ t 
then, by the induction hypothesis we get 

cP; «>{J/a}, ^r; r{J/a}, x : [6 < K{J/a}] • ^{J/a} hi{j/a} i : r{J/a}. 
As a consequence, we can conclude by 

0; ${J/a}, ^; r{J/a}, x : [b < K{J/a}] • fi{J/a} hi{j/a} t : r{J/a} 
cP; cl>{j/a}, ^; r{J/a} hi{j/a} Xx.t : ([6 < K] • ^ ^ T){J/a} ^ 

since [b < K{J/a}] • /u{J/a} r{J/a} = ([6 < K] • ^ ^ r){J/a}. 
The other cases are similar. □ 

A particularly useful instance of Lemma 13.91 is the following: 

Lemma 3.10 (Instantiation). Let (p,a;^,a < I h k t : a. If (p;^ \=£ J < I, then, 
</.;${J/a},^' hK{J/a} t : a{J/a}. 

Proof. By Lemma 13.91 and Lemma 13. 7[ □ 



V 
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Moreover a Generation Lemma will be useful. 
Lemma 3.11 (Generation). 

1. Let (p; <I>; F h k Ax.t : a, then a = [a < I] • r — o and 0; $; F, x : [a < I] • r h k t '■ fJ-! 

2. Let r hK : Nat[I, J], then (j);^\=^ 1= 0; 

3. Let 4>;^]T hx n+ 1 : Nat[I, J], then $ |='^ J ^ i . 

Proof. All the points are immediate by an inspection of the rules. □ 

We are now ready to embark on a proof of Subject Reduction. As usual, the first step 
is a Substitution Lemma: 

Lemma 3.12 (Term Substitution). Let 0, a; <I>, a < I; hj t : cr and (p;^;x : [a <l] ■ 
a, A h K u '■ "T- Then we have 0;<I>;A h h u{t/x} : r for some H such that 0; <^ H ^ 
K + I + I].<iJ. 

Proof. As usual, this is an induction on the structure of a type derivation for u. All relevant 
inductive cases require some manipulation of the type derivation for t. The previous lemmas 
give exactly the right degree of "malleability". Let vr be a derivation for 

0; <I>; X : [a < I] • cj, A h k u : t. 

Let us examine some interesting cases, dependently on the shape of vr: 

• Consider vr to be just 

$ ^ K $ 1 ^ I 

4>;^ o-{0/a} E r 
0; $ ([a < I] • a) ^ 0; $ A ^ 

i;^; <I>; A, X : [a < I] ■ cr |-k x : r 

Since j= |,, applying Lemma [3.101 we have 

cj)■,^{O/a}■,0h^o/a]t■■a{O/a} 

and since $ does not contain free occurrences of a we obtain: 

0;^;0 hj{o/a} t : a{0/a}. 

Now, by applying Lemma 13.81 Lemma 13.51 and Lemma 13.71 we can conclude 

0;$;AhK+l+£,,iji :t 

since clearly 

(p;^ h J{0/«} ^K + I+ 2 J- 

a<I 

• Let us consider the case vr ends by an instance of the A rule. In particular, without loss 
of generality we can consider a situation as the following: 

4>;^;x : [a <K] ■ \-L V : [b kN] ■ fi ^ T 

0, 6; 6 < N; X : [a < H] • (7{K + a + ^^^^ R{d/b}/a}) hu u : fi 

$ h [a < I] • (T c [a < K + ^^^^ H] • 7 

hQ^L + N + I]j,<NM 

A 

0; <I>; X : [a < I] • u |-q vu : r 

By definition of subtyping, (/>;<I>,a < I |— o" E 7, and 0; $ K + P ^ I, where 
P = Xl6<N by Lemma Em we have 

</>;^>,a < K + P;0 hj t : o- 
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and by Lemma 13.71 we have 

(/>;$,a<K + P;0hjt:7 
(since (/);$,a<K + P|— (TE7). Applying again Lemma 13.41 we obtain 

(/.;$,a < K;0 hj t : 7 
and by induction hypothesis we get 

(t); hT v{t/x} : [6 < N] • ^ ^ r 
with (/);$h^T^L + K + Y:a<K J- We observe that 

6, c; a ^ K + c + 2 H{d/6}, 6<N,c<Hh^a<K + P. 

d<b 

By Lemma 13.41 we get 

0, 6, c; a ^ K + c + 2 ^{d/b}, 6 < N, c < H; hj t : 7 

d<b 

and by Lemma 13.91 and Lemma 13.71 we obtain 

a < H, 6 < N; hR t : 7{K + a + 2 H{d/6}/a}, 

where R = J{K + a + Xid<6 H{(i/6}/a}. By induction hypothesis, we get 

(j);^,b< N;0 hs u{t/x} : 
with $ S ^ M + H + Xia<H ^^^d we can conclude as follows: 

(P; hT i-jt/a:} : [6 < N] • ^ ^ r 

0;$;0 hs -"{Va^} : 

A 

hT+N+2^<jS : r 

Please observe that: 

,/,;$^^t + n+ 2s^(l + k+ 2J) + n+ 2(m + h+ 2^) 

6<J a<K 6<N a<H 

^(l + n+2m) + (k+2h) + (2J+SSi^) 

6<N 6<N a<K fxN a<H 

^(L + N+ 2m) + (K+ 2h)+ 2 J 
^ Q + I + 2 J- 

a<I 

The other cases are similar. 
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Theorem 3.13 (Subject Reduction). Let (j);^; hi t : a and t —>■ u. Then, (j);^; \-j u : 
a, where 0; $ ^ J ^ I. 

Proof. By induction on the structure of a derivation vr for (p; \-i t : a Let us examine 
the distinct cases: 

• Suppose vr is 

(p; hK Ax.t : [a < H] • r ^ a 
a < H; hL : T 
</>;$hK + H + I]„<HL^I ^ 
(/>;$; hi {Xx.t)u : a 

By Lemma [3. Ill Point 1, we have 0; rr : [a < H] • r h k t ■ f - Then by Lemma [3 .121 we 
can conclude: 

0;$;0 hj t{u/x} : a 

for <^;$ J«:K + H + 2,<hL^I- 

• Suppose vr is 

<^;^;0 hK : Nat[K,H] 

(/.; H ^ 0; hL w : (J 

(/.;^',K ^ 1;0 hL u- : a 

h K + L ^ I 

i? 

0; hi if z then v else w : cr 

By Lemma 13.111 Point 2, we have (p;^ H ^ 0. So, by Lemma 13.41 we can conclude 
^;$;0 hL : cr. 

• Suppose vr is 

(p; ^; hK n+ 1 : Nat[K, H] 

(j);^,R^O;0 hhV : a 

^;^,K^1;0 hLW.a 

0;$ h K + L ^ I 

F 

<p; <I>; hi if z n + 1 then v else if : a 

By Lemma [3. Ill Point 3, we have cp; ^ K ^ 1. So, by Lemma [3. 41 we have (p; hL 
w : a. 

• Suppose vr is 

(/>;<I>h@°''j^L,P 
(p,b;^,b < L; X : [a < J] ■ fi \-k t : r 
(^;^> h r{0/6} E cr 
(/., a, 6; a < J, 6 < L h r{@J+i''' J + 6 + 1/6} E ;U 

<^,^hP-l+I].<LK^I 

0;$;0 hi fix x.t : 

The index term J describes a tree Tj (in the sense of forest cardinalities, see Section [3. ip 
which in turn represents the tree of recursive calls. Tj looks as follows: 
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where Tj represents the tree of recursive calls triggered by the i-th call to a; in t. We 
first proceed by giving a type to t which somehow corresponds to the root of Tj. This 
will be done by substituting b for in the derivation we get as an hypothesis of vr. Since 
(p; ^ \=£ < L, by Lemma [3. 101 we have 

^■,^;x:[a< 3{0/b}] ■ a{0/b} hK{o/b} t : t{0/6}. 
From the hypothesis 0; $ h t{0/6} E ct and by the Subtyping Lemma, we obtain 

(b;^;x -.[aK J{0/6}] • a{0/b} hK{o/b} t : a. 
Our objective now is building one type derivation for fix x.t that somehow reflect the 
J{0/6} subtrees J], . . . ,Tj^°''*'. Speaking more formally, we want to prove that: 

(j);^,a< J{0/6} hR fix x.t : a{0/b} (3.5) 

where 

$ h K{0/6} + J{0/6} + Yi ^ I- 

a<J{0/fe} 

That would immediately lead to the thesis. To reach (|3.5p . we proceed by flrst defining 
two index terms with a quite intuitive informal semantics: 

• First of all, we define M to be ©^'^ J{b + 1 + J/&}- Observe that c occurs free 
in M; indeed, M counts the number of nodes in the tree Tj. 

• Another useful index term is N, which is defined to be 1 + 6 + Xjc<a M. N is designed 
as to return the label of a node in Tj given a and the offset b. In other words, TjjN/^} 
is a recursion tree isomorphic to Tj. 

Now, if we substitute b for N in one of the premises of vr, we get 

a, 6; a < J{0/6}, b < M{a/c};x : [d < J{N/6}] • fi{d/a}{N/b} 

hK{N/b}t:T{N/b}. (3.6) 

Since by Lemma [3^ we have Xic<e ^ — J know that 

0,1 0,1 0,1 l,a 

@ J{N/6} ~ (S) J{1 + 6 + 2 M/b} -@3{l + b + @ J/6} ^ M{a/c}. (3.7) 

b b c<a b b 

Now, consider the problem of determining the index (in Tj) of the (d + l)-th children of 
a node of index b inside Tj. There are two equivalent ways to compute it: 

• either you start from N, but then you substitute 6 by 6 + 1 + ©^^"'"''^ J{N/6}; 

• or you simply consider N + 1 + J. 

In the first case, you compute the desired index by merely instantiating N appropriately, 
while in the second case you use N without altering it. The observation above can be 
formalized as follows: 

<j), a, b, d;^,a< J{0/6}, b < M{a/c}, d < J{N/6} h 

b+l,d N+l,d 

r{N/6}{6 + 1 + (S) J{N/6}/6} ^ r{N + 1 + @ J/6}. 

b b 
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By Lemma 13.101 we also obtain: 

(f), a, 6, d; a < J{0/6}, h < M{a/c}, d < J{N/6} h 

t{N/6}{6 + 1 + @ J{N/6}/6} E cj{(i/a}{N/6}. (3.8) 
b 

Now, (j3.6p . (j3.7p and (|3.8p can be put together by way of rule i?, and one then conclude 
that 

a < J{O/6};0 hM{a/c}-i+2,<M{aM K{N/fe} ^^"^ ' ^{^^^/^V^}- 
But instantiating one of the hypothesis' of tt, we obtain 

l,a 

a; a < J{0/6} h r{(g) J + 1/6} E ^{0/6}. 

By Lemma [3T2l we can prove that J + 1 = N{0/6}. Indeed, this is quite intuitive: 
the index of the root of Tj can be computed in two equivalent ways through J or through 
N. As a consequence, 

a < J{0/6}; hR fix x.t : cr{0/b}, 
where R = M{a/c} — 1 + Yib<M{a/c} K{N/6}. But we are done, since 

0; $ h K{0/6} + J{0/6} + 2 ^ 

a<J{0/6} 

= K{0/b} + J{0/b}+ 2 (M{a/c}-l+ 2 K{N/6}) 

a<J{0/6} 6<M{a/c} 

= (J{0/6}+ 2 (M{a/c} - 1)) + K{0/6} + ^ S 

a<J{0/6} a<J{0/b}b<M{a/c} 

l,J{0/b} 

^ © J + K{0/6}+ 2 2 K{N/6} 

b a<]{0/b]b<M{a/c] 
JxL 

This concludes the proof. □ 

4. Intensional Soundness 

Subject Reduction already implies an extensional notion of soundness for programs: if a 
term t can be typed with h k t '■ Nat [I, J], then its normal form (if any) is a natural number 
between pj and pj. However, Subject Reduction does not tell us whether the evaluation of 
t terminates, and in how much time. Has K anything to do with the complexity of evaluating 
t? The only information that can be extracted from the Subject Reduction Theorem is that 
K does not increase along reduction. 

In this section, Intensional Soundness (Theorem 14.61 below) for the type system d^PCF 
will be proved. A Krivine's Machine Kpcp for PCF programs will be first defined in Section 
I4.1[ Given a program (i.e. a closed term of base type), the machine Kpcp either evaluates it 
to normal form or diverges. A formal connection between the machine Kpcp and the type 
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Figure 7: The Kpcp Transition Steps. 



system d^PCF will be established by means of a weighted typability notion for machine 
configurations, introduced in Section [421 This notion is the fundamental ingredient to keep 
track of the number of machine steps. 

4.1. The KpcF Machine. The Krivine's Machine has been introduced as a natural device 
to evaluate pure lambda-terms under a weak-head notion of reduction [27J. Here, the stan- 
dard Krivine's Machine is extended to a machine Kpcp which handles not only abstractions 
and applications, but also constants, conditionals and fixpoints. 

The configurations of the machine Kpcp, ranged over by C, -D, . . ., are triples C = {t, ^) 
where p and ^ are two additional constructions: p is an environment, that is a (possibly 
empty) finite sequence of closures; while ^ is a (possibly empty) stack of contexts. Stacks 
are ranged over by ^,0, . . .. A closure, as usual, is a pair c = {t,p) where t is a term and 
p is an environment. A context is either a closure, a term s, a term p, or a triple {u,v,p) 
where u,v are terms and p is an environment. 

The transition steps between configurations of the Kpcp machine are given in Figure 
[71 The transition rules require some comments. First of all, a naive management of name 
variables is used. A more effective description however, could be given by using standard 
de Bruijn indexes. Note that the triple {u,v, p) is used as a context for the conditional 
construction; moreover, in a recursion step, a copy of the recursive term is put in a closure 
on the top of the current environment. As usual, the symbol denotes the reflexive and 
transitive closure of the transition relation The relation implements weak- head 
reduction. Weak-head normal form and the normal form coincide for programs. So the 
machine Kpcp is a correct device to evaluate programs. For this reason, the notation t 1), n 
can be used as a shorthand for {t,e,e) (n, p, e). Moreover, notations like C JJ," could 
also be used to stress that C reduces to an irreducible configuration in exactly n steps. The 
proof of the formal correctness of the abstract machine is outside the scope of this paper, 
however it should be clear that it could be obtained as a simple extension of the original 
one [27]. 

Intensional Soundness will be proved by studying how the weight I of any program t 
evolves during the evaluation of t by Kpcp. This is possible because every reduction step 
in t is decomposed into a number of transitions in Kpcp, and this decomposition highlights 
when, precisely, the weight changes. The same would be more difficult when performing 
plain reduction on terms. Proving Intensional Soundness this way requires, however, to keep 



LINEAR DEPENDENT TYPES AND RELATIVE COMPLETENESS 



23 



Closures 

xi -.[aK h] ■ n, . . . ,Xn : [a < In] ■ Tn \-k t : a 

i<l>hJ^K + Ii + ... + I„ + I]„;i^ Hi + ... + I]„,i^H.. 
(j); $ hf (t, ci---Cn) -.a 



Stacks 

(/);$,a < I h| c : 7 

6;$h^aET 0; $ J ^ H + K + I 



$ hf e : (fT, r) $ hf c • : ([a < I] • 7 ^ /i, r) 

0;$ hf e : (Nat[K,H],r) 0; $ hf : (Nat[K,H],r) 

Nat[I+ 1,L + 1] ENat[K,H] 0; $ Nat[I ^ 1, L ^ 1] cNat[K,H] 



i$ hf s - : (Nat[I,L],r) $ hf p • ^ : (Nat[I,L],r) 

</.;$,L ^ 1 h|(n,p) : /i $ J ^ K + H 

(A;$hf (t,u,y9) -0: (Nat[I,L],r) 



Configurations 

(t>;^hi{t,p):a 0; hf g : (a, r) 0; $ I ^ K + J 



Figure 8: Lifting d^PCF Typing to Closures, Stacks and Configurations. 



track of the types and weights of ah objects in a machine configuration. In other words, the 
type system should be somehow generalized to an assignment system on configurations. 



4.2. Types and Weights for Configurations. Assigning types and weights to configura- 
tions amounts to somehow keeping track of the nature of all terms appearing in environments 
and stacks. This is captured by the rules in Figure [H A formal connection between typed 
terms and typed configurations could be established as expected, and such connection could 
be shown to be preserved by reduction. However, the following lemma is everything we need 
in the sequel: 

Lemma 4.1. Let t e V. Then, (f);^] t : a if and only if 4>\ <I> hf (t, e, e) : o". 

Analogous notions of typability for closures, stacks and configurations can be given 
following the simpler type discipline of PCF proper. They can be obtained by simplifying 
those for d£PCF, see Figure [9l If C ^ D and vr is a derivation of h C : cr, then a derivation 
p oi \- D : a can be easily obtained by manipulating vr, and we write tt ^ p. 
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Figure 9: Extending PCF Typing to Closures, Stacks and Configurations. 

4.3. Measure Decreasing and Intensional Soundness. An important property of Kriv- 
ine's Machine says that during the evaluation of programs only subterms of the initial 
program are recorded in the environment. This justifies the notion of size for configura- 
tions, denoted |C|, that will be used in the sequel. This is defined as \{t,p,(^)\ = \t\ + |^|. 
The size |^| of a stack ^ is defined as the sum of sizes of its elements, where = \t\, 

|s| = IpI = 1, and \{t,u,p)\ = \t\ + \u\. Moreover, another consequence of the same property 
is the following lemma. 

Lemma 4.2. Let t e V and let C = {t, e, e). Then, for each D = {u, p, ^) such that C D 
and for each v occurring in p or ^, \v\ ^ 

Proof. Easy, by induction on the length of the reduction C ^* D. In fact, a strengthening 
of the statement is needed for induction to work. In particular, not only |f | ^ \t\ for every 
V m. p and 1^, but also for the non-head subterms of u. □ 

Intensional Soundness (Theorem 14. 6p expresses the fact that for a program t e V such 
that 0;0;0 hf t : Nat[J,K], the number pj^ is a good estimate of the number of steps 
needed to evaluate t. Moreover, thanks to Subject Reduction, the numbers pjp and [K]^ 
give an upper and a lower bound, respectively, to the result of such an evaluation. This is 
proved by showing that during reduction a measure, expressed as the combination of the 
weight and the size of a configuration, decreases. In turn, this requires extending some of 
the properties in Section 13.41 from terms to configurations. As an example, substitution 
holds on configurations, too: 

Lemma 4.3. If (j),a;^ hfj {t,p) : a, then 0; <I>{J/a}, ^' h^jj/^j {t,p) : a{3/a} for every J 
such that (j),^ J 

Proof. By induction on the proof of (j), a; <I> h ^ (^) p) ■ using Lemma 13.91 □ 



LINEAR DEPENDENT TYPES AND RELATIVE COMPLETENESS 



25 



Moreover, type derivations for closures can be "split", exactly as terms: 

Lemma 4.4. Let (p;^ [a < I] • cr E [a < J + K] • r and let (p,a;^,a < I hfj {t, p) : a 
Then, both {(j), a; <l>, a < J) hjj {t, p) : r and a; <l>, a < K l-H{j+a/a} P) • ''"^"^ V'^}- 

The key step towards Intensional Soundness is the following: 

Lemma 4.5 (Weighted Subject Reduction). Suppose that {t,e,e) D E and let D be 
such that (f)] ^ l-f D : a . Then cf); ^ \-j E : a , and one of the following holds: 

1. (P-<^>^1 = 3 but \D\ > \E\; 

2. (p;^ \=l> J and \E\ < \D\ + \t\. 

Proof. The proof is by cases on the reduction D ^ E. Condition 1 can be shown to 
apply to all the cases but the one in which D = {x,p,S^). In that one, weight decreasing 
relies on the side condition in the typing rule for variables, while the bound on the size 
increasing comes from Lemma |4.2[ We just present some cases, the others can be obtained 
analogously: 

• Consider the case D = ( ifz w then u else ^). We want to prove Point 1, namely 
that E = {t, p, (u, V, p) ■ ^) is such that <I> hj : o" where $ ^ I = J and \D\ > \E\. 
The latter is immediate: 

\D\ = l + \w\ + \u\ + \v\ + 1^1 > + (|n[ + \v\) + |^| 

= \w\ + \{u,v,p) ■ i\ = \E\. 

Let us consider the former. By inspecting a proof of 0; <I> h f D : a, we can easily derive 
the following judgments (where p = ci, . . . ,Cn)- 

(t);<i>;xi : [a < KJ"] ■ tj.i,...,x„ : [a < K™] - fin hi„ w : Nat[H,L]; (4.1) 

L ^ 0; XI : [a < KT] ■ mUKS" + a/a}, . . . , x„ : [a < Kr] ■ ^iu{K'^ + a/a} hi„„ u : r; (4.2) 

0; H > 1; xi : [a < K""] ■ A*i{Ki' + a/a}, . . . ,x„ : [a < K^"] ■ ^l„{K'^ + a/a} hi„„ v : t; (4.3) 

0, a; $, a < K, hi,^ Ci : a**; (4.4) 

e:(r,a). (4.5) 

where 

$ h [a < Ki] • r, E [a < K^] ■ pi w [a < K^] • Pi{K'f' + a/a}; (4.6) 

0; $ h I ^ + I™ + Ki + . . . + K„ + ^ l^^ + . . . + ^ Ic„ + I^. (4.7) 

a<Ki a<K„ 

By Lemma applied to (|4.4p and exploiting (|4.6p . we obtain that 
(j),a; <Kf hi,^ Q : pi] 

4>, a; a < K™ h^{K»+a/a} Q : /ii{K"' + a/a}. 
By way of (gU, (g^]) and (03]), we obtain 

(/.;$,L^Ohi(„,^) {w,p) :Nat[H,L]; 
(/);$,H^ 1 hi(„,,^) (n,p) :r; 
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where 

l(^,,)=l^ + Kr + ... + K-+ 2 lc, + ...+ 2 lc„; 

So, by definition and by ()4.5p we have that $ {u,v,p) ■ ^ : (Nat[H, L], t). 

Thus, we can conclude that (p;^\-iE:a (since from ()4.7p . it easily follows that 
4>;^ \=^>kw,p) + ^iuv,p) +!?)• 

Consider the case D = (Xx.u,p,c ■ ^). We want to prove Point 1, namely that E = 
(u, c ■ p,^) is such that (p;^\-jE:a where 0; ^> |= I = J and \D\ > \E\. The latter is 
immediate, so let us consider the former. By inspecting a proof of 0; $ |— f D : a, we 
can easily derive the following judgments (where p = ci, . . . , Cn), in particular using the 
Generation Lemma: 

(p;^;xi : [a <Ki] ■ pi, . . . ,Xn : [a < K„] ■ pn, x : [a < R] ■ ^ u : r; (4.8) 

(j),a;^,a <Ki Ci : Pi] (4.9) 
(/),a;$,a < H hi, c : 7; (4.10) 
0;$hi, e: (r,cT). (4.11) 

Moreover: 

$ h I ^ I„ + Ki + . . . + K„ + 2 Ici + . . . + 2 Ic„ + H + 2 Ic + I?- 

a<Ki a<K„ a<U 

From (liTH]) . K9\i and (I4.10p . we obtain (j); hi^.^ (n, c- p) : t, where 

Ic.p = I„ + Ki + . . . + K„ + 2 Ici + ■ ■ ■ + 2 + H + 2 le. 

a<Ki a<K„ a<H 

This, together with M.llh easily yields the thesis. 

Consider the case D = (n, jO, s • ^). Again, we want to prove Point 1, that is E = 
(n + 1 , /9,0 is such that (j);^ \-j E : a, where (j);^ \=l = 3 and \D\ > \E\. The latter is 
easy: 

= |n| + |s . ^1 = 2 + ICI + 1 > 1 + = | n+ 1 | + lel = 1^1, 

so we consider the former. By inspecting a proof of 0; <5 h f D : a, we can easily 
derive the following judgments (where p = ci, . . . , c„) in particular using the Generation 
Lemma: 

(p;^;xi :[a <Ki]- pi,...,Xn:[a < K„] ■ pn hi, n : Nat[H, L]; (4.12) 

(/),a;^,a <Ki Ci : Pi] (4.13) 
hi^ e : (Nat [M,N], a). (4.14) 

Moreover: 

$ h I ^ In + Ki + . . . + K„ + 2 lei + • • • + 2 + (4-15) 

a<Ki a<Kn 

4>;<^h Nat[H+ 1,L + 1] E Nat[M,N]. (4.16) 
From Km and we get 

(p;^;xi :[a<Ki]-pi,...,Xn:[a< K„] • pn hi, n + 1 : Nat[M,N]. 
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This, together with (I4.13j) . allows us to reach 0; <I> ( n + l ,p) : Nat[M, N], where 

I(n+l,p) = In + Ki + . . . + K„ + Yi Ici + • • • + Yi 

a<Ki a<K„ 

By (I4.14|) . the thesis can be easily reached. 

Consider the case D = (fix x.u,p,^). Yet another time, we want to prove Point 1, 
that is = (n, (fix x.u,p) ■ p,^) is such that (l);^\-iE:a, where cj);^ \=l = J and 
li^l > \E\. The latter is easy, as usual: 

\D\ = |f ix x.u\ + \(^\ > \u\ + 1^1 = [£^1, 

so we consider the former. By inspecting a proof of cj); $ h f D : a, we can easily derive 
the following judgments (where p = ci, . . . , c„): 

b, b;^,b < H; xi : [a < Ki] • ^ui, . . . , x„ : [a < K„] • /i„, x : [a < L] • 7 |-i„ u : r; (4.17) 

0,a;^>,a < Mi hi,^ Ci : r/i; (4.18) 

^■,^hi,C-{S,a). (4.19) 

Moreover: 

</>;<!> h r{0/b} c 5- 

6+1, a 

<;/), a, fe; $, a < L, 6 < H h r{ (S) L + & + 1/b} c 7; 

6 

(t>;$ h [a <M^] ■ ■n^ <= J][a< Ki] ■ m; 

0.1 

b 

^;$^I55N-1+ 2 I„ + Mi + ... + M„+ Yj Ici+...+ X! 

fa<H a<Mx a<Mn 

By manipulations of the indices similar to the one used in the proof of Subject Reduction, 
we can derive the following from (j4.17p . given the judgments above: 

(/)■ r, X : [a < L{0/6}] • j{0/b} hi„{o/6} n : 6; 

(p;<i>,a< L{0/6}; A hp{a/c}-i+2],^p{„/^, i„{R/6} fix x.u : 'y{0/b}. 

In the equations above, 

0,1 0,c 
P = (g)L{6+l + (S)L/6}; 

b b 

R = 1 + 6+2P; 

c<a 

and r, A can be chosen in such a way as to guarantee: 

(p;^\-xi:[a<Mi]-r]i,...,Xn:[a<Mn]-r]n= J] AwP 

a<L{0/fe} 

E xi : 2 [a < Ki] /il , . . . , Xn : ^ [a < K„] • 

6<H b<R 
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So we have that 

4'; ^ {u, (fix x.u, p)-p): 5, 

where 

lMfix...,p).p)=I«{0/6} + L{0/6}+ 2 (PWc}-l+ 2 I«{N/6}) 

a<L{0/f)} fe<P{a/c} 

+ Mi + ... + M„+ 2 Iei + ...+ 2 

a<Mi a<M„ 

The value of I(„^(f ix x.u,p)-p) can then be proved to be equal or smaller than 
N-1+ 2 I« + Mi + ... + M„+ 2 Ici + ---+ 2 Ic„, 

6<H a<Mi a<M„ 

under the hypotheses in (f). This immediately yields the thesis, given (|4.19|) . 
• Consider the case D = (xm, {{to,po), . . . , />„)), ^). We want to prove Point 2, that is 
E = {tm,Pm,(,) is such that (j);^ \-j E : a, where $ |= I > J and \E\ < \D\ + \t\. The 
latter is immediate by Lemma 14.21 so we consider the former. By inspecting a proof of 
: fj, we can easily derive the following judgments 

(j); xi:[a< Ki] • ^i, . . . , x„ : [a < • Pn hi^^ Xm ■ r; (4.20) 

(j), a; a < hi(,^ {U, : pf, (4.21) 
^;^hi,C-{r,<T). (4.22) 

Moreover: 

h K„ ^ 1; (4.23) 
h /i„{0/a} E r; (4.24) 

0; <!> h I ^ + Ki + . . . + K„ + 2 I{ti,p,) + • • • + 2 I(*n,P.) + I?- (4-25) 

a<Ki a<Kn 

From (I4.2ip where i = m, (I4.23p . and (I4.24p . one obtains that 0;$ l~i(t„ p„){o/a} 
itm,Pm) ■ T and, by (|4.22p . that 

But from (j4.25p and ()4.23p one easily infer that 

'/';^hi>i(i„,p^){0M + i«, 

that is the thesis. 

This concludes the proof. □ 



It is worth noticing that if $ is inconsistent, the inequality (f);^ |= I > J in Lemma 14.5^ 
Point 2, does not necessary imply that weight strictly decreases. Indeed, Intensional Sound- 
ness only holds in presence of a consistent set of constraints: 

Theorem 4.6 (Intensional Soundness). Let hi t : Nat[J,K] and t |J," m. Then, n ^ 
|i|-(Pl + l)- 

Proof. By induction on n, making essential use of Lemma 14.51 and Lemma l4.2[ □ 
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Please observe that an easy consequence of Theorem 14.61 is intensional soundness for 
functions. As an example, if a;0;0 hit : [b < J]-Nat[a] Nat[K,H], then the complexity 
of evaluating t n is at most {\t n|) • ([[I{n/a}| + 1). Observe, however, that \t n| does not 
depend on n, since |n| = 1. 

5. Relative Completeness 

This section is devoted to proving relative completeness for the type system d^PCF. In fact, 
two relative completeness theorems will be presented. The first one (Theorem 15. 6p states 
relative completeness for programs: for each PCF program t that evaluates to a numeral n 
there is a type derivation in d^PCF whose index terms capture both the number of reduction 
steps and the value of n. The second one (Theorem 15.121) states relative completeness for 
functions: for each PCF term t : Nat Nat computing a total function / in time expressed 
by a function g there exists a type derivation in d£PCF whose index terms capture both the 
extensional behavior / and the intensional property embedded into g. 

Relative completeness does not hold in general. Indeed, it holds only when the underly- 
ing equational program £ is universal, i.e. when it is sufficiently expressive as to encode all 
total computable functions. A universal equational program is introduced in Section 15.11 

Relative completeness for programs will be proved using a weighted form of Subject 
Expansion (Theorem 15. 5p similar to the one holding in intersection type theories. This will 
be proved in Section 15.21 The proof of relative completeness for functions needs a further 
step: a uniformization result (Lemma 15. lip relying on the properties of the universal model. 
This is the subject of Section 15.31 

5.1. Universal Equational Program. Since the class of equational programs is clearly 
recursively enumerable, it can be put in one-to-one correspondence with natural numbers, 
using a coding scheme '^•^ a la Gddel. Such a coding, as usual, can be used to define a 
universal equational program lA that is able to simulate all equational programs (including 
itself). 

Let '^8, f ^ be the natural number coding an equational program £ and a function symbol 
f among the ones defined in it. This can be easily computed from (a description of) £ and 
f . A signature Y^u containing just the symbol empty of arity and the symbols pair and 
eval of arity 2 (plus some auxiliary symbols) is sufficient to define the universal program 
lA. For each f of arity n, the equational program lA satisfies 

[[eval('£:, f\ pairing ^{xi, Xn))f^ = [f (xi, . . . , Xn)fp, 

where pairing ^{ti, . . . , tn) is defined by induction on n: 

pairing^ = empty; 

pairing „^^{ti, . . . ,t„+i) = pa.ir{pairing^{ti, . . . ,t„),t„+i). 

This way, U acts as an interpreter for any equational program. Such a universal program 
U can be defined as a finite sequence of equations, similarly to what happens in the con- 
struction of, e.g., universal Turing machines. 

The universal equational program U enjoys some nice properties which are crucial when 
proving Subject Expansion. The following lemma says, for example, that sums and bounded 
sums can always be formed (modulo =) whenever index terms are built and reasoned about 
using the universal program: 
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Lemma 5.1. 1. For every A and B such that $ ^ |i, 0; ^> 5 It, and (\A\j = (\B\), 
there are C and D such that cp;^ C ^ A, 4>;^ D ^ B and C w D is defined. 

2. For every A and I such that (/>, a; a < I |— ^ A 1). and (p; $ h ^ I there is B such that 
4>,a;^,a < I h ^ B = A and Xia<i ^ defined. 

Proof. These are inductions on the structure of the involved formulas. Actually, it is con- 
venient to enrich the statements above (which only deals with modal types) with similar 
statements involving basic types, this way facilitating the inductive argument. □ 

5.2. Subject Expansion and Relative Completeness for Programs. Weighted Sub- 
ject Expansion (Theorem 15.51 below) says that typing is preserved while weights increase 
by at most one along any Kpcp expansion step. This is somehow the converse of Weighted 
Subject Reduction. Weighted Subject Expansion, however, does not hold in general but 
only when the underlying equational program is universal. 

In order to prove Weighted Subject Expansion, only typing that carry precise infor- 
mation should be considered. As an example, we write Ihi C : a if we can derive 
(j);^ hi C : a hy precise type derivations. The type of a precisely-typable configuration, 
in other words, carries exact information about the value of the objects at hand. One can 
easily extend the above notation to type derivations for closures and stacks. Recall that 
a precise type derivation is a type derivation such that all premises in the form u E r 
(respectively, in the form I ^ J) are actually required to be in the form a = t (respectively, 
1 = J). 

Furthermore, only specific typing transformations should be considered, namely those 
that leave the weight information unaltered. In order to achieve this, some properties of 
precise typability for the Kpcp machine should be exploited. As an example, if a closure 
cp; $ Ihi (t, p) ■ o", then (p; $ Ihj {t, p) : r whenever r and J such that <^ h cr ^ r and 
0; $ 1= I = J. This is a natural variation on the Subtyping Lemma for terms (Lemma 13. 7p . 

Finally, it is worth noticing that by considering an inconsistent set of constraints it 
is possible to make any closure {t,p) typable with type u (in the sense of PCF) to be also 
typable in the sense of d£PCF: 0; ^ Ihi (t, p) ■ t whenever (\t\) = a and for every index term 
I. This says that inconsistent sets cover a role similar to the cj-rule in intersection type 
systems. 

The following two lemmas will be useful in the sequel, and allow to "join" apparently 
uncorrelated typing judgements into one: 

Lemma 5.2. Let be the substitution {a + I/a}. Suppose that vr > 0, a; a < I !I-h c : a, 
that p \> (j),a;^9,a < J W-ue c : cr9, and that (|vr[) = (|/5[) . Then, a; <I>, a < I + J Ihn c : a. 

Proof. By simultaneous induction on vr and p. We make essential use of the implicit as- 
sumption about the universality of the underlying equational program. □ 

Lemma 5.3. Let 6 be the substitution {Xic<a + V*^}- Suppose thatir \> (p,a,b;^6,a < 

I, 6 < J IhHe c : a9. Then, 4>, a;^,c < Xia<i J ll-H c : a. 



Proof. By induction on the derivation vr, again using the properties of a universal equational 
program. □ 
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But there are even other ways to turn two typing derivations into a more general one, 
again relying on the semantic nature of d^PCF: 

Lemma 5.4. Suppose that vr [> <1>, I ^ J ||-k c : a, that p \> \ > i ||-k c : a, and that 
^7r|) = (\p^. Then, (^;$lhKc:(J. 

It is now time to state Weighted Subject Expansion, since all the necessary ingredients 
have been introduced: 

Theorem 5.5 (Weighted Subject Expansion). Suppose that vr > (/>; <1> Ihi : o" and that 
p (\7r\), where p Oh C : (\a\). Then u > (p;^ C : a, where (p;^ \= J I + 1 and 
(|z^|) = p. Moreover, v can he effectively computed from vr and p. 

Proof. The proof is by cases on the shape of the reduction C —> D. We just present some 
cases, the others can be obtained analogously. 

• Consider the case 

C7 = (0,p, {t,u,p)-i) ^ {t,ii,i)^D. 
By assumption we have that C is typable in PCF and that (j)] ^ \\-\ D : a. So, we have 
that 

Ihi^ i : (r,a); 

HI = +1?; 

for some l(t,iM) and I^. We clearly also have that (/>; <1>, ^ Ihi^j (t, fJ-) '■ t. 1 ^ is 
an inconsistent set of constraints, and since C is typable in PCF (as remarked above), 
we also have that i;^); <I>, 1 ^ ||-i(( {u, p) : r. This implies, in particular, that cj), <I> Ihi 
{t,u,p) ■ ^ : (Nat[0],(T). Now, assume that p = {ti,pi) ■ . . . ■ {tn, Pn) where for every 
1 ^ i ^ n, {ti,pi) is typable in PCF. Since <l>,a < is inconsistent, we have that 

(p,a;^,a <0 Iho iti,Pi) ■ Pi 

for some pi. By Lemma 13.81 we can build a derivation for 

0; j;i : [a < 0] • pi, . . . , : [a < 0] • /i„ Iho : Nat[0]. 

So, we have that 

0;^ Iho (0,p) : Nat[0]. 

Summing up, we obtain that 

<t); $ Ihi C : fj, 

from which the thesis easily follows, since (f)\^ ^I^I + l. 

• Consider the case 

C^{\x.t,p,c-0 - {t,c-p,i)^D. 
By assumption we have that C is typable in PCF and that (/>; ^ D : a. So, we have 
that 

(/); $; xi : [a < Ki] • Ti, . . . , x„ : [a < K„] • r„ Ihit t ■ A*; 

0, a;$,a < Kj Ihi^. Q : n; 
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where: 

0; $ h I = It + Ki + . . . + K„ + ^ Ici + . . . + 2 Ic„ + 

a<Ki a<K„ 

For simplicity and without loosing any generality, we can consider the case where c - p = 
c\ . . .Cn with X = x\ and c = ci . So, in particular we can build a derivation ending as 
follows: 

^; xi : [g < Ki] • Ti, . . . , x„ : [q < K^] • Ihit t : 

0; $; X2 : [a < K2] • r2, . . . , : [a < K„] • t„ Ihi^ Axi.t : [a < Ki] • n ^ 
and thus we have that 0; $ ^ p) (Ax.i, p) : [a < Ki] • ri ^ /x, where 

I(Ac..t,p) = It + K2 + . . . + K„ + 2 Ic2 + ...+ 2 Ic„. 

a<K2 a<K„ 

Further, we have that 

^ IH^+Ki+2„<Ki • : ([a < Ki] ■ n ^ fi, a) 
and, as an easy consequence, that 

IH(,..,,,)+i^+Ki+2,,Kiici : f^- 
This easily leads to the conclusion, since 

(/); $ h I = It + Ki + . . . + K„ + 2 Ici + • • • + 2 Ic„ + I? 

a<Ki a<K„ 

= Wt,p) + I? + Ki + X! Ici- 

a<Ki 

Consider the case 

C = (f ix x.t, p, —>■ (t, (fix x.t, p) • />, = L). 

By assumption we have that C is typable in PCF and that ^; $ Ihi -D : a. So, we have 
that 

0;$;xi : [a < Ki] • n, . . . ,x„ : [o < K„] • r„ Ht t : p; (5.1) 

0, a; a < Kj Ihi^. Cj : n; (5.2) 

<^;$H^^: (/x,(7); (5.3) 

where: 

hI = It + Ki + ... + K„+ 2 Ici + -..+ 2 Ic„+Ie- (5.4) 

a<Ki a<K„ 

For simplicity and without losing any generality, we can consider the case where (fix x.t,p)- 
p = ci . . .Cn with X = xi and (fix x.t, p) = ci. As a consequence, we can conclude that: 

(j), a; a < Ki; V ^ , fix x.t : n; (5.5) 

^, a, 6; a < Ki, 6 < Hj Ihj^. Q : /x^; (5.6) 
where F = X2 : [6 < H2] ■ p2-, ■ ■ ■ ,Xn : \b < H„] • pn, and 

a; a < Ki h Ici = Ifix x.t + ^2 + ■ ■ ■ + + X! Jc2 + • • • + 2 J'^™" (^•''') 

6<H2 6<H„ 

Our objective now is to prove that 

'^'^H(,,_.,,,) (fixx.i,p) ://, (5.8) 
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where (j),^ \= I(fix x.t,p) = I — Ig- The thesis easily fohows from (|5.8p . To do that, we 
proceed by spehing out what the premises of (|5.5p are. They are: 

0,1 6+l,c 

(j), a,b;<^, a <Ki, b < @F- X ■.[c<F]--f{@ P + b + 1/6}, A lhj, t : 7, (5.9) 

b b 

and the fohowing two: 

(j), a;^,a< Ki Ih n ^ j{0/b}; 



^.,o;^>,a < Ki IhT ^ ^ A; 



where P and Jf are index terms such that 



0,1 



,/.,a;^>,a<Ki hlfixx.t = @P-1+ J] Jt- (5.10) 

b<@°'^p 

Now, consider an index term N such that 

0,1 0,1 
0;$ h@N = 1+ 2 @P 

b a<Ki b 

Such an index term can be easily defined from P and Ki, given that the underlying 
equational program is assumed to be universal. For the same reasons, one can define 
types 5 and t/, a type context S and an index term R such that the following holds 
(where is {1 P + V^}): 

0,1 

0;$ Ih v{0/b} = n; <j),a,b;$,a < Ki, fe < @ P Ih 776I = 7; 

b 

0,1 6+1, c 

Ih 5{0/b} = Ti; 0,a,fe,c;$,a < Ki, & < @P,c< P, Ih 59 = ^{ @ P + b + l/b}; 

b b 
0,1 

(jj; $ Ih R{0/6} = It; (j),a,b;$,a <Ki,b <@P \=Re = Jt; 

b 
0,1 

(^;$ Ih E{0/6} s P; a, 6; <1>, a < Ki, 6 < (S) P Ih Eg A. 

b 



This is possible since the type derivations for (15. ip and (15. 9p have exactly the same PCF 
skeleton. By transforming them according to the equations above, one can merge them 
into one with conclusion: 

0,1 

(/), 6; 6 < (S) N; X : [a < N] • (5, S IhR t : V- 

b 

So, by using again the R rule we obtain: 

^; S ^ N-i+s,,^o,i ^ R f : 
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We are not at (jS.Sp . however: it is still necessary to type p appropriately. But note that 
we have: 

fe<@°'^N b<@°'^N^l a<Ki {,<(g)0.i p a<Ki 

So we can find types /32 , • • • , /3n such that 

2 S = X2 : [a < K2 + 2 H2] • ^2, ■ ■ ■ , : [a < K„ + ^ H„] ■ 

6<@°'^N a<Ki a<Ki 

where for every 2 ^ i ^ n, 

0, a;$,a < Kj Ih /3j ^ r^; 
a; a < Ki, 6 < Hi Ih AjKj + 6 + ^ Hj/a} ^ /ij. 

a<a 

Similarly, one can define index terms Q2, • • • , Q™ such that 

a<a 

By relabelling the type derivations of (j5.2p and ()5.6p (which are structurally equal) 
according to the types and index terms introduced above, one obtains: 

0, a; a < Ki + ^ Hj Ihq, Q : ft; 

a<Ki 

From this it follows that <1> Ihi^j^^ ^ ^ (fix x.t, /)) : ;U, where 
0,1 

I(fixx.t,p) = ((§)N-l+ 2 R) + (k2+ 2 H2 + --- + K„+ 2 H„+ 

2 Q2 + ---+ 2 Q")- 

Let us separately analyze the two thunks in which the expression above can be decom- 
posed. On the one hand we have that: 

h(§)N-l+ 2 R= 2 @P + It+ 2 S J* 

^ ;><@6'^N a<Ki ^ a<Kif,<@o,ip 

= Yi x.t + Ki 

a<Ki 

On the other hand, let us observe that 

0;<i>h 2 Q2 + ---+ 2 

C'<(K2+I],<KiH2) a<(Kn+S,<Ki H„) 

a<K2 a<K2 fe<H2 a<K„ a<K„ 6<H„ 

Combining the equations above with (j5.4p . (15. 7j) and (IS.lOp . one easily reaches <1> |= 
I(fix a;.t,p) = I ~ If ) which is the thesis. 
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• Consider the case 

C = ( if z w then u else v, p, ^) {w, p, {u, v, p) ■ ^) = D. 
By assumption we have that C is typable in PCF and that cp; $ Ihi -D : cr. So, we have 



that 



i xi : [a < Ki] • Ti, . . . , x„ : [a < K„] • r„ Ihi^ w ■ Nat[H]; 

(j),a; $,a < Kj Ihi^. Q : Tf, 



^Hlhi, 



{u,v,p) 



{v,p) : p; 

where p = ci . . . Cn- Moreover: 

(/>; $ h I = + Ki + . . . + K„ + 2 + . . . + Yi + IC^.'^.P) + 

a<Ki a<K„ 

By further spelhng out (I5.13P and (I5.14p . we obtain the following: 

H ^ 0; xi : [a < Hi] • 71, . . . , x„ : [a < H„] • 7„ ||-i„ n : /x; 

(/), a; H ^ 0, a < Hj lhj,^ Q : Ji] 
(/); 1 ^ H; xi : [a < Li] • (5i, . . . , x„ : [a < L„] • (5„ ||-i„ v : p; 

(p,a;^,l ^ H, a < Lj H-m^. Q : 5i; 



(5.11) 
(5.12) 
(5.13) 
(5.14) 
(5.15) 

(5.16) 



(5.17) 
(5.18) 
(5.19) 
(5.20) 



where 



i;^>,H^O h W,p) = In + Hi 
!.;«>, 1 ^ H h liu,v,p) = + Li - 



a<Hi a<H„ 

.+L„+ 2 M,, + ...+ 2 M,„. 

a<Li a<hn 

Please notice how the type derivations for (j5.12p . (I5.18P and (I5.20p are structurally 
identical, i.e., their PCF counterparts are the same. Now, let us build index terms 
Ni, . . . , N„, , . . . , Pc„, luv and types r/i, . . . , ??„ such that: 

0;$,H^OhN, = H,; 

0;$,H HI™ = In, 
^ H HI™ = I^;; 
0;$,a < Kj h Pc, = Ic,; 
0;$,H^O,a<Hi h Pcja + K^/a} = J^,; 
^H,o<Li hPcJa + Ki/a} =Me,; 
(^;^>,a < Kj Ih r/j ^ 
0; H ^ 0, a < Hi lh r/j{a + Ki/a} ^ -ff, 
0; 1 ^ H, a < Li lh Vi{a + Ki/a} ^ 6i. 
As a consequence, one can rewrite (jS.lip . ()5.17p and ()5.19p as follows: 
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0; xi -.[a < Ki] • 771, . . . , a;„ : [a < K„] • r]n w : Nat[H]; 
0; H < 0;xi : [a < Ni] • r?i{a + Ki/a}, . . . ,x„ : [o < N„] • 77„{a + K„/a} ||-i„„ m : n; 
0; 1 ^ H;a;i : [o < Ni] • 7?i{o + Ki/o}, . . . ,a;„ : [o < N„] • r]„{a + K„/o} ||-i„„ v : //; 

from which one obtains 

0; xi : [o < Ki + Ni] • 771, . . . , x„ : [o < K„ + N„] • rjn ll-i„+i„„ if z w then u else v : //. 

Similarly, one obtains that 

(j), a; a < Kj + Nj lhp^. Q : r]i; 
and, as a consequence, that (j); <I> Ihi^ C : cr, where 

Ic = I«,+I«^ + Ki + Ni + ... + K„ + N„+ 2 Pci + ---+ 2 P'^"- 

a<Ki+Ni a<K„+N„ 

But observe that 

.^;$,H<OhIc = I«, + I« + Ki + ... + K„+ 2 Pci + ...+ X! 

a<Ki a<K„ 

+ Ni + ... + N„+ 2 p{a + Ki/a} + ---+ ^ P{o + K„/a} 

a<Ni a<N„ 

= + I„ + Ki + . . . + K„ + 2 Ici + • • • + 2 

a<Ki a<K„ 

+ Hl + ...+H„+ ^ Jci+---+ X! 

a<Hi a<H„ 

= + Ki + . . . + K„ + 2 Ici + . . . + 2 + I(«,„,p) = I- 

a<Ki a<K„ 

Similarly, one can prove that ^; 1 ^ H |= Ic = I. Summing up, we get ^; $ |= Ic = I, 
which is the thesis. 
Consider the case 

C = (Xm, i{to,Po), ■■■ , {tn,Pn)),0 ^ itm,Pm,0 = D. 

By assumption we have that C is typable in PCF and that $ Ihi -D : a. So, we have 
that 

0;<i>H, e:(T,a); (5.22) 

where ^; $ |= I = ^{tm,Pm) + -^^^ closure {U, pi) (where 1 ^ i ^ n but i 7^ m) can be 
typed as follows: 

^;$,a < Iho (ii,Pi) : P-i 
for some type /Xj. This is because all these closures are by hypothesis typable in PCF 
and, moreover, o < is inconsistent. For obvious reasons, 

(/);^>,a < 1 H(,^,,^) {tm,Pm) ■■ T. 
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Finally, we can build the following type derivation 

Ih t{0/6} E t 



(/>; xi : [ai < 0] • /ii, . . . , Xm : [a < 1] • r, . . . , x„ : [a„ < 0] • /i„ Iho Xm ■ r 

But all this implies that (p;^ Ihi^ C : a where (/>; <^ |= Ic = I + 1, which implies the 
thesis. 

This concludes the proof. □ 

Relative completeness for programs is a direct consequence of Weighted Subject Ex- 
pansion: 

Theorem 5.6 (Relative Completeness for Programs). Let t be a PCF program such that 
t m. Then, there exist two index terms I and J such that ^ n and [J]^ = m and 
such that the term t is typable in d£PCF as |— t : Nat[J]. 

Proof. By induction on n using Weighted Subject Expansion and Lemma 14. 1[ □ 



5.3. Uniformization and Relative Completeness for Functions. It is useful to recall 
that by relative completeness for functions we mean the following: for each PCF term t 
computing a total function / in time expressed by a function g there exists a type derivation 
in d£PCF whose index terms capture both the extensional functional behavior / and the 
intensional property g. Anticipating on what follows, and using an intuitive notation, this 
can be expressed by a typing judgement like 

a; 0; X : Nat [a] hg(a) t : Nat[f (a)]. 

In order to show this form of relative completeness, a uniformization result for type deriva- 
tions needs to be proved. 

Suppose that {vrj^gN is a sufficiently "regular" (i.e. recursively enumerable) family of 
type derivations such that any iTn is mapped by d • [) to the same PCF type derivation. 
Uniformization tells us that with the hypothesis above, there is a single type derivation 
vr which captures the whole family {7r„}„eN- In other words, uniformization is an extreme 
form of polymorphism. Note that, for instance, uniformization does not hold in intersection 
types, where uniform typing permits only to define small classes of functions [28., 8j 9j. 

More formally, a family {7r„}„gN of type derivations is said to be recursively enumerable 
if there is a computable function / which, on input n, returns (an encoding of) vr^. Similarly, 
recursively enumerable families of index terms, types and modal types can be defined. 

It is easy to turn "uniform families" of semantic entailments into one compact form: 

Lemma 5.7. 1. If for every n e 'N it holds that (f);^{n/a} l{n/a} ^ J{n/a}, then 
</.,a;^> I ^ J. 

2. If for every n e N it holds that (j); ^{n/a} l{n/a} ^ 3{n/a}, then (j),a;^ I ^ J. 

Proof. This is just an trivial consequence of the way semantic entailment is defined. Sup- 
pose, for example, that for every n e N the following holds (p; <^{n/a} I{n/a} ^ J{n/a}. 
Now, what should we do to prove (/>, a; $ I - J? We should prove that for every value 
of the variables in (p, a satisfying I and J are equal in the sense of Kleene. But this is 
just what the hypothesis ensures. □ 



38 



U. DAL LAGO AND M. GABOARDI 



Before embarking on the proof of uniformization for type derivations, it makes sense to 
prove the same result for index terms and types, respectively. 

Lemma 5.8 (Uniformizing Index Terms). Suppose that: 

1- {InjneN is recursively enumerable, where for every n e N, I„ is an index term on a 
signature T,k; 

2. There is a finite set of variables (p = ai, . . . , Om such that any variables appearing in any 
In is in 4> 

Then there is a term I on the signature T^u such that (p; \—^ l{n/a} ^ I„ for every n. 
Proof. Consider the function / : defined as follows: 



An algorithm computing / can be defined as follows: 

• From xq, compute Ixg- Again, this can be done effectively. 

• Evaluate I^q where the variables ai, . . . , a„ takes values xi, . . . , Xn, respectively. 

In other words, / is computable. Thus, the existence of a term I like the one required is a 



Observe how the index terms in {InlneN need not be defined for all values of the variables 
occurring in them. More: their domains of definition can all be different. The way I is 
defined, however, ensures that [[I{n/a}]] is defined iff |I„] is defined. Uniformizing types 
requires a little more care: 

Lemma 5.9 (Uniformizing Types and Modal Types). Suppose that {vr„}„gN is recursively 
enumerable and that: 

1. for every n e N, 7r„ > <!>„ (Xn It; 

2. for every n,m e N, (|fT„|) = 

3. every have the form I" ^ J", . . . , IJ^ ^ J^, where m does not depend on n. 
Then there is one type a such that: 

1. (/>,a;^' h" 0- II; 

2. $ = Ii ^ Ji,...,Im ^ Jm,- 

3. for every 1 ^ p ^ m, both (j); lp{n/a} ~ 1^ and (p; 3p{n/a} ^ J^; 
4- for every n 6 N, it holds that cp; ${n/a} a{n/a} = an- 

Moreover, the same statement holds for modal types. 

Proof. The proof goes by induction on the structure of the type (|(To[) and of the modal 
type d^oD- An essential ingredient in the proof is, of course. Lemma [5^ Suppose, as an 
example, that (|o"o[) = Nat. This implies that there are index terms K„,H„ such that, for 
every n e N, 

an = Nat[K„,Hj. 

Now, let Ii, Ji, . . . , Im, Jmj K, H be the index terms obtained from the families 



through Lemma [5181 Let <I> be just Ii ^ Ji, . . . ,1^ ^ Jm and let a be Nat[K,H]. From 

TTn \> (p\ $n 0"n 1)-, it folloWS that 



(xo,xi,.... 




consequence of the universality of the equational program U. 



□ 



{I" }neN, {Ji }neN, ■ ■ • , {ImlnsN, {JmlneN, {K„}neN, {H 



<i)-M^/a} h" K{n/a} ^; 
(P; ${n/a} h" H{n/a} ^ . 



(5.23) 
(5.24) 



LINEAR DEPENDENT TYPES AND RELATIVE COMPLETENESS 



39 



By Lemma ISTft it follows that 

which implies 0, a; $ cr From (|5.23p and K{n/a} =^ K„, it follows that 

0;${n/a} h" K{n/a} = K„. 
Similarly, from 15.2^ one obtains 

<P;^{n/a} h" H{n/a} = H„. 

As a consequence, (f>;^{n/a} a{n/a} = an- □ 

Now that we are able to unify a denumerable family of types into one, we have all the 
necessary tools to turn a family of judgements into one. For subtyping judgments, the task is 
relatively simple, because types and index terms occurring inside any subtyping derivation 
also occur in its conclusion: 

Lemma 5.10 (Uniformizing Subtyping Judgments). // for every n e N it holds that 
0; ^{n/a} a{n/a} E r{n/a}, then <p,a;^ a ^ r. 

Proof. This is an induction on the structure of a proof of a. If, as an example, a = Nat [I, J], 
then T = Nat[K, H]. From the hypothesis, we know that 

0; ${n/a} K{n/a} ^ I{n/a}; 

0; ${n/a} J{n/a} ^ H{n/a}. 

By Lemma (521 we can conclude that 

K ^ I; 
J H; 

which immediately yields the thesis. □ 

In typing judgments, on the other hand, there can be types and index terms which occur 
in the derivation, but not in its conclusion — think about how applications are typed. We 
then need to impose some further constraints on the kind of (type derivation) families which 
we can unify: 

Lemma 5.11 (Uniformizing Typing Judgments). If for every n e N it holds that iTn > 
0; <^{n/a}; r{n/a} t : a{n/a}, where {TTnjneN is recursively enumerable and such 

that dvTnl) = (|vrm[) for every n, m e N, then (j),a;^;T {-^ t : a. 

Proof. The proof goes by induction on the structure of t. Some interesting cases: 
• Suppose that t is a variable x. Then vr^ has the following shape: 

${n/a} ^ J{n/a} (j); ${n/a} 1 ^ I{n/a} 
(/>;${n/a} a{n/a}{0/b} E r{n/a} 
0; ${n/a} {[a < I{n/a}] ■ a) H 0; ${n/o} A{n/a} ^ 

(P; ^{n/a}; A{n/a},x : [b < l{n/a}] ■ ajn/a} h^^^/^j x : T{n/a} 
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Notice that a{n/a}{0/b} is literally the same as a{0/b}{n/a}. Lemma [5.7l and Lemma [5. Ill 
allow us to derive the following 

</>,a;^> ^ J; 

</.,a;«> a{0/b} E r; 
</.,a;«>h" ([a<I]-a) ^; 

from which the thesis easily follows. 

Suppose that t is uv. Then the derivations in {7r„}„gN have the following shape: 

(p; ${n/a}; r„ h^^ t : [6 < I„] • f7„ ^ T{n/a} 
(j), b; ^{n/a}, b < I„; A„ h|^^ u : o-„ 
0; <I>{n/a} S{n/a} E r„ A„ 
cD{n/a} H{n/a} ^ + + Il^^i^ K„ ^ 

0; ${n/a}; S{n/a} h^{„/„} tu : T{n/a} 

By Lemma 15.81 and Lemma 15.91 there are index terms I, J,K and a type a, and typing 
contexts T and A such that the following holds: 

0; I{n/a} ^ I„; 

J{n/a} ^ Jn; 
0,6;6<I{n/a} K{n/a} ^ K„; 

0, b; ^{n/a}, b < l{n/a} cr{n/a} ^ fT„; 

0,6;«>,6<Ih"r|t; 
0, 6; «>{n/a}, 6 < I{n/a} r{n/a} ^ L,; 

0,6;«>,6 < I A 4; 
0, 6; «>{n/a}, b < l{n/a} A{n/a} ^ A„. 
From the above, we first of all obtain 

(j); ${n/a} H{n/a} ^ J{n/a} + I{n/a} + ^ K{n/a}, 

fe<I{n/a} 

that by Lemma 15.71 becomes 

0, a; $ H ^ J + I + K. 

fe<i 

Analogously, this time through Lemma 15.101 one easily reach 

fe<i 
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Again, one can reach 

(/>;1>{n/a};r{n/a} t : [b < l{n/a}] ■ a{n/a} ^ r{n/a}; 

0, b; ^{n/a}, b < l{n/a}; A{n/a} h^{„/„} u : (j{n/a}; 

to which one can apply the induction hypothesis. The thesis easily follows. 
This concludes the proof. □ 

Uniformization is the key to prove relative completeness for functions from relative 
completeness for programs: 

Theorem 5.12 (Relative Completeness for Functions). Suppose that t is a PCF term such 
that h t : Nat Nat. Moreover, suppose that there are two (total and computable) functions 
/, g : N ^ N such that t n jl.s^'^) Then there are terms I, J,K with p + J] ^ g and 

[KJ = /, such that 

a;0;0 \-i t :[b < J]- Nat[a] Nat[K]. 

Proof. A consequence of relative completeness for programs (Theorem 15. 6p and Lemma 
15.111 Indeed, a type derivation for a; 0; hi t : [6 < J] • Nat [a] — o Nat[K] can be obtained 
simply by uniformizing all type derivations 7r„ for programs in the form tn. In turn, those 
type derivations can be built effectively by way of Subject Expansion. □ 



6. On THE Undecidability of Type Checking 

As we have seen in the last two sections, d^PCF is not only sound, but complete: all true 
typing judgements involving programs can be derived, and this can be indeed lifted to 
first-order functions, as explained in Section [5^ 

There is a price to pay, however. Checking a type derivation for correctness is un- 
decidable in general, simply because it can rely on semantic assumptions in the form of 
inequalities between index terms, or on subtyping judgements, which themselves rely on 
the properties of the underlying equational program £. If £" is sufficiently involved, e.g. if 
we work with U, there is no hope to find a decidable complete type checking procedure. In 
this sense, d£PCF is a non-standard type system. 

Indeed, d£PCF is not actually a type system, but rather a framework in which various 
distinct type systems can be defined. Concrete type systems can be developed along two 
axes: on the one hand by concretely instantiating £, on the other by choosing specific 
and sound formal systems for the verification of semantic assumptions. This way sound 
and possibly decidable type systems can be derived. Even if completeness can only be 
achieved if £ is universal, soundness holds for every equational program £. Choosing a 
simple equational program £ results in a (incomplete) type system for which the problem 
of checking the inequalities can be much easier, if not decidable. And even if £ remains 
universal, assumptions could be checked using techniques such as abstract interpretation or 
theorem proving. 

By the way, the just described phenomenon is not peculiar to d^PCF. Unsurprisingly, 
program logics have similar properties, since the rule 

p ^ r {r}P{s} s ^ q 

{p}p{q} 
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is part of most relatively complete Hoare-Floyd logics and, of course, the premises p => r 
and s ^ q have to be taken semantically for completeness to hold. 

7. d^PCF AND Implicit Computational Complexity 

One of the original motivations for the studies which lead to the definition of d£PCF came 
from Implicit Computational Complexity. There, one aims at giving characterizations of 
complexity classes which can often be turned into type systems or static analysis methodolo- 
gies for the verification of resource usage of programs. Historically [MIES], what prevented 
most ICC techniques to find concrete applications along this line was their poor expressive 
power: the class of programs which can be recognized as being efficient by (tools derived 
from) ICC systems is often very small and does not include programs corresponding to 
natural, well-known algorithms. This is true despite the fact that ICC systems are exten- 
sionally complete — they capture complexity classes seen as classes of functions. The kind 
of Intensional Completeness enjoyed by d^PCF is much stronger: all PCF programs with a 
certain complexity can be proved to be so by deriving a typing judgement for them. 

Of course, d^PCF is not at all an implicit system: bounds appear everywhere! On 
the other hand, d^PCF allows to analyze the time complexity of higher-order functional 
programs directly, without translating them into low level programs. In other words, d^PCF 
can be viewed as an abstract framework where to experiment new implicit computational 
complexity techniques. 

8. Related Work 

Other type systems can be proved to satisfy completeness properties similar to the ones 
enjoyed by d^PCF. 

The first example that comes to mind is the one of intersection types. In intersec- 
tion type disciplines, the class of strongly and weakly normalizable lambda terms can be 
captured [IQ}- Recently, these results have been refined in such a way that the actual com- 
plexity of reduction of the underlying term can be read from its type derivation |141 [7]. 
What intersection types lack is the possibility to analyze the behavior of a functional term 
in one single type derivation — all function calls must be typed separately [28l[8l[9]. This is 
in contrast with Theorem 15 . 1 2 1 which gives a unique type derivation for every PCF program 
computing a total function on the natural numbers. 

Another example of type theories which enjoy completeness properties are refinement 
type theories [I7j, as shown in [15j. Completeness, however, only holds in a logical sense: 
any property which is true in all Henkin models can be captured by refinement types. The 
kind of completeness we obtain here is clearly more operational: the result of evaluating a 
program and the time complexity of the process can both be read off from its type. 

As already mentioned in the Introduction, linear logic has been a great source of inspi- 
ration for the authors. Actually, it is not a coincidence that linear logic was a key ingredient 
in the development of one of the earliest fully-abstract game models for PCF. Indeed, d^PCF 
can be seen as a way to internalize history-free game semantics [Ij into a type system. And 
already BLL and QBAL, both precursors of d^PCF, have been designed being greatly in- 
spired by the geometry of interaction. d£PCF is a way to study the extreme consequences 
of this idea, when bounds are not only polynomials but arbitrary first-order total functions 
on natural numbers. 
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